Security & Compliance
Your data never leaves
your control.
Security at KeneLabs is not a feature — it is the foundation. Every architectural decision, every API, and every data pipeline is designed with auditability, isolation, and human oversight as non-negotiable constraints.
AES-256
Encryption standard
TLS 1.3
Transport security
0
Auto-disqualifications
100%
Sessions on record
72h
PII deletion SLA
30d
Point-in-time recovery
01
01 / Pillar
Auditability
Every decision is traceable. Every session is on record.
Your institution deserves a complete, unambiguous paper trail for every assessment interaction — from the moment a test is published to the moment results are released.
Full session recording
Every test attempt is recorded with frame-by-frame integrity events capturing face presence, gaze, tab activity, and audio signals.
Exportable evidence packages
Generate PDF + JSON evidence exports for any flagged attempt — containing timestamps, screenshots, signal logs, and reviewer decisions.
Admin action logs
Every configuration change, student import, result edit, and access event is logged with actor identity, timestamp, and IP address.
Test snapshot at publish
Questions, marks, and settings are locked and versioned at test publish time — no retroactive edits without a new version record.
Question bank access trail
Every faculty member's access to the question bank is logged, preventing unauthorized sharing before exams.
Student attempt timeline
Complete per-student timeline: join, first answer, idle gaps, tab switches, flagged events, and final submission — all at millisecond precision.
02
02 / Pillar
Access Control
The right people see only what they need. Nothing more.
Permissions are enforced at every layer of the system — the UI, the API, and the database. There is no path for a user to access data outside their assigned role.
Strict role hierarchy
HQ Admin → College Admin → Faculty → Student. Each role has a defined permission set; no role can escalate itself or access sibling-tenant data.
Tenant-level isolation by architecture
No cross-tenant data visibility is possible at the database layer. Tenant ID is a mandatory filter on every query — not a UI-level concern.
Invite-only admin onboarding
College admins and faculty are onboarded via time-limited, cryptographically signed invite tokens. Public registration is disabled for administrative roles.
Bearer token authentication
All API endpoints require role-matched Bearer tokens. Token payloads are validated server-side on every request — no client-side trust.
Session expiry & forced logout
Sessions expire after configurable inactivity periods. Role changes and deactivations force immediate session termination across all devices.
IP allow-listing (enterprise)
Institution admin panels can be restricted to specific IP ranges. Available on Pro Plus and Ultra Pro plans.
03
03 / Pillar
Data Protection
Encrypted, isolated, and never shared.
Your institution's data belongs to your institution. It is encrypted before it touches disk, isolated at the database level, and governed by retention policies you control.
AES-256 at rest
All stored data — student records, test responses, recordings, and media — is encrypted at rest using AES-256.
TLS 1.3 in transit
All data transferred between clients and servers uses TLS 1.3. Downgrade to TLS 1.2 is disabled; HTTP is not served.
Tenant-level DB isolation
No shared tables, no shared indexes. Each tenant's data is isolated at the schema level — a misconfigured query cannot leak to another tenant.
Signed media URLs
All recordings and screenshot files are stored in isolated object storage. Access requires a time-limited signed URL — never publicly accessible.
30-day point-in-time recovery
Automated daily backups with point-in-time recovery to within any 5-minute window in the past 30 days.
Defined data retention policies
Each data type has a defined retention schedule. Student PII deletion requests are processed within 72 hours.
Compliance & Standards
ISO 27001 Aligned
Information security management principles followed across all engineering and operations.
GDPR Aligned
Data minimisation, purpose limitation, and subject rights (access, erasure) built into the platform.
VAPT Reports
Vulnerability assessment and penetration testing reports available to enterprise customers on request.
India IT Act
Compliance with the Information Technology Act 2000 and its amendments for data handling in Indian institutions.
Responsible AI
Algorithms inform. Humans decide.
01
No automated disqualification
ML models detect anomalies and assign confidence scores — but a human reviewer makes every final call. No student is ever penalised by an algorithm alone.
02
Explainable signals
Every integrity flag carries a signal type (gaze deviation, audio anomaly, tab switch), a confidence score (0–100), and a timestamp. Nothing is a black box.
03
Institution-configurable policies
Tolerance thresholds, review requirements, and escalation rules are set by the institution — not defaulted by us. You control how strict or lenient your proctoring is.
04
Bias-aware model monitoring
Proctoring models are periodically evaluated for demographic bias in false-positive rates. Reports are shared with enterprise customers on request.
Security questions before you commit?
Our team will walk you through architecture, data residency, and compliance documentation.