Skip to content

Security Commitment and Compliance Standards

Committed to the highest levels of trust, transparency and compliance
Questionmark Service Security

Our commitment to security

We appreciate how critical security and reliability are to both our success and our customers. In a world where data breaches and requests for access to personal data are regular occurrences, it is essential that customers choose an assessment service provider that considers the protection and privacy of customer data a priority. Questionmark is committed to the highest levels of trust, transparency and compliance. Please email for more information.

Reporting security vulnerabilities

We investigate all legitimate reports of security vulnerabilities and do our best to quickly fill the gap in our defenses, and authorize the public to conduct good-faith research with the intent of reporting such vulnerabilities to Learnosity. If you believe you have found a vulnerability in any of our sites or products, please let us know ASAP at

Compliance standards

Our customers get the assurance they need. Our technologies and processes meet the latest compliance and security standards through external reviews and audits.

ISO 27001

ISO 27001

ISO 27001 is the most widely recognized information security standard in the world and Questionmark was accredited after in-depth assessment by external, accredited auditors. It recognizes companies for establishing, implementing, maintaining and continually improving their Information Security Management System (ISMS).



The General Data Protection Regulation (GDPR) is the European Union (EU) privacy law that imposes rules on organizations that store or manage data tied to EU residents. Questionmark is committed to GDPR compliance across our OnDemand and OnPremise services and provides GDPR guidance and related assurances within contracts and documentation to help customers be compliant.

EU U.S. Data Privacy Framework

EU-U.S. Data Privacy Framework

Questionmark is certified under the the EU-U.S. Data Privacy Framework (EU-U.S. DPF), including the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).



Questionmark’s US OnDemand service is committed to the Health Insurance Portability and Accountability Act (HIPAA) which sets the standard for dealing with protected health information (PHI) and ensures physical, network, and process security measures are in place and followed.

Cloud Security Alliance

CSA Cloud Security Alliance

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. CSA’s Security, Trust and Assurance Registry (STAR) is an industry leading program for providing assurance and validation that a participant is following security best practices for cloud providers. By completing the CSA STAR self-assessment, Questionmark shows transparency by a public report of the security measures in place to protect our customers data.

Cyber Essentials

Cyber Essentials

Cyber Essentials is a government-backed, industry supported cyber security certification scheme that sets out a good baseline of cyber security to protect against the vast majority of common cyber attacks.



FERPA is a US federal law protecting the privacy of student information. Questionmark’s US OnDemand service offers contract terms that include specific FERPA commitments and allows customers to administer assessments and store data in compliance with FERPA.

Student Privacy Pledge

Student Privacy Pledge

The Student Privacy Pledge is managed by The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA). Companies who sign up to it make legally enforceable commitments to affirm that they safeguard student data. The Student Privacy Pledge seeks to safeguard student privacy regarding the collection, maintenance, and use of student personal information. Questionmark has signed the Student Privacy Pledge and you can see more information here.



The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.



Questionmark has completed the Higher Education Community Vendor Assessment Toolkit (HECVAT) assessment. Interested parties can request the completed assessment through the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) Community Broker Index (CBI).

Product security

Customers need the confidence that assessments are getting valid, reliable and defensible results. We’ve built security into our products from day one and continuously strengthen and improve security features across our assessment management system.

  • Secure locked-down browser Significantly minimize the risk of cheating and content theft.
  • Online, onsite and record and review proctoring Flexible proctoring solutions for both on-site and live-online (remote) proctoring.
  • Roles-based access Ensure your assessment administrators only see what you permit them to see.
  • Single sign-on using SAML Provide users with streamlined access, simplify administration and strengthen security.
  • Define password policies Create custom password policies that vary by role, tailored to your organization’s internal policies.

Service security and transparency

Questionmark operates a trustable, scalable and robust OnDemand Service for managing, delivering and reporting on assessments.  Questionmark’s OnDemand Service contains multiple layers of security, including physical safeguards, access control, environmental management and uninterruptible power supply, and is protected by firewalls to appropriately restrict access.

Access Control & Physical Security

  • Our infrastructure is hosted in the Microsoft Azure cloud with independent service offerings provided from the following locations – the EU, EU Central, AU, US, US Gov.
  • Every data center has 24-hour manned security, and access is restricted to select personnel with appropriate identification
  • Video surveillance, motion detectors and intruder alarms are located throughout each facility
  • Redundant power grid connections, batteries, multiple generators, tier-one internet connections and secure off-site backups

Network Protection

  • Internet traffic in and out of the data centers is encrypted using TLS
  • A custom Intrusion Detection System (IDS) monitors network traffic and finds malicious attacks before they occur
  • Each server in the various tiers is protected by a host-level firewall
  • A Bastion Host is used to allow system maintenance without damaging system security or integrity
  • Antimalware technology is used and updated on a regular basis

Application Monitoring and Transparency

Servers are continuously monitored for downtime and designed to notify the Network Operations Center for action to be taken immediately. The service is monitored from around the world to track performance and connect, processing and transfer times. We believe in transparency. Questionmark is willing to provide penetration test results for customers under NDA. For up-to-date details about the status of the OnDemand service, please refer to:

People Security

Systems and processes are only as secure as the people who manage them.  That’s why security is embedded into Questionmark’s company culture.

  • Independent background checks are carried out on every employee
  • Dedicated security team that reports directly to a board member to provide independence from operations
  • Employees are required to log on with two-factor authentication for key systems of record
  • Regular employee training and assessments are given on data security
  • Regular phishing tests are administered to check and optimize employee awareness
Microsoft and SAP

Global partnerships

Questionmark have long-established partnerships with two of the world’s technology leaders.

Government Procurement Frameworks

Government and public sector organizations handle some of the most sensitive data and are often under immense pressure to procure high-quality services with strict requirements and budgets.

As a key provider to the public sector, Questionmark OnDemand is listed on both the US and UK government procurement frameworks enabling government agencies to dramatically reduce the time spent procuring assessment technologies and solve their needs in a much more effective, time-efficient way.


Questionmark’s contract number is GS-35F-0380Y and the schedule covers Questionmark OnDemand for Government, Questionmark OnPremise, training, consultancy, support and annual Users Training Meeting.

GSA contract number GS-35F-0380Y


Questionmark’s G-Cloud listing covers Questionmark OnDemand within the latest iteration of the UK Government G-Cloud Framework, G-Cloud 13.

G-Cloud Service ID: 933151907015652



Questionmark has achieved authorization from the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP Authorization means that Questionmark has met cloud service offering compliance and security standards required to provide assessment services to U.S. Government and Military organizations.