Digiexam Lockdown - Microsoft Entra ID Data Privacy Policy

This Privacy Policy applies specifically to the Digiexam Lockdown Solution (the "App") and describes how we collect, use, and handle the data retrieved through Microsoft Graph APIs.

Information We Collect

The App is designed solely to integrate educational institutions' Microsoft Entra ID environment with the Digiexam Identity and Access Management (IAM) system. To achieve this, the App requests specific permissions, or scopes, to function properly. We collect only the following information based on your granted consent:

• Maintain Access (offline_access): Essential for Microsoft Entra ID so Digiexam can acquire a refresh token. This allows Digiexam to continuously update organization, group, and member data after the initial access token expires without requiring the admin to re-authenticate constantly.
• User Information (User.Read.All): We read all users' full profiles, which is required to sync user names and emails.
• Group Information (Group.Read.All): We read all groups, which is required to fetch your directory's groups for role mapping.
• Group Membership (GroupMember.Read.All): We read group memberships, which is required to know which user belongs to which group.
• Organization Information (Organization.Read.All): We read organization information, which is required to link the tenant correctly.

How We Use the Information

We use the information collected exclusively for the core functionality of the App. Specifically, we use it to:

• identify your tenant and securely connect your Microsoft Entra ID directory to your Digiexam environment
• synchronize authorized users and groups from your directory into Digiexam IAM
• provision user accounts so they can access authorized educational services within Digiexam

We do not use your Microsoft Entra ID directory data for any other purposes.

Strict Prohibitions on Data Use

We are committed to data minimization and strict purpose limitation.

• No Marketing: We will never use the data retrieved from Microsoft APIs for marketing, promotional, or advertising purposes.
• No Selling: We will never sell, rent, or lease your Microsoft Entra ID data to third parties.
• No Profiling: Data is not used to build user profiles for any purpose outside of standard educational account provisioning within Digiexam.

Microsoft API Services Usage Disclosure

The App's use and transfer to any other app of information received from Microsoft APIs will adhere to the applicable Microsoft APIs Terms of Use, Microsoft Developer Agreement, and Microsoft identity platform for developers Terms of Use requirements. We govern this data strictly within the intended usage scenario of the application to support secure educational provisioning.

Data Storage, Security, and Retention

The directory data synchronized through the App is transmitted securely and stored within Digiexam's secure infrastructure hosted on Google Cloud Platform (GCP). To ensure compliance with regional data protection requirements and privacy laws, data storage is localized based on the school's location:

• US Customers: Data is stored securely in GCP data centers located in the United States.
• EU Customers: Data is stored securely in GCP data centers located within the European Union.

Data is retained only for as long as your organization maintains an active integration and requires synchronized provisioning. If you disconnect the App or terminate your Digiexam services, the synchronized directory data is handled in accordance with our standard data deletion protocols as outlined in our Master Subscription Agreement and general Privacy Policy.

Contact Us

If you have any questions or concerns about this specific Privacy Policy or the App's use of Microsoft Entra ID data, please contact us at privacy@digiexam.com.