Many organizations and individuals rely on Paragin Group for secure storage of their data. This isn't something we take lightly. Safety, reliability, and security are key concepts within our organization, which we address with great care every day. This ensures we are a reliable partner for our customers, partners, and users.
Compliance and Certification
We implement security based on proven best practices. No compromises or exceptions are allowed: all relevant controls in the ISO 27001 standard have been declared applicable and are embedded in our organization - with the exception of the controls that do not take place within our organization. This is periodically audited and certified by external auditors. More information about ISO 27001 can be found below.
Secure and Robust Software
We work hard to develop robust and secure software. Through firewalls, load balancing, and the high-availability set-up of our infrastructure, we offer 99.5% or higher uptime per month, monitored 24/7 by our technical team and documented in Service Level Agreements (SLAs) and Data Processing Agreements, providing you and your users with peace of mind.
Data Centers and Networks
The data centers housing Paragin's server infrastructure are, like our own organisation, ISO 27001 certified. Together with our partners we work on a fully secure chain in which software, hardware, and human processes and procedures reinforce each other. This is regularly tested by external organizations as well as our internal security team with security audits and penetration testing.
Authentication and Encryption
Single Sign-On, 0Auth2 authentication, SAML support, SURFconext, identity management, Microsoft Entra, two-factor authentication (TOTP), password hashing using adaptive algorithms: our software implements secure authentication using industry-standard protocols. All communication is encrypted using TLS with an A rating minimum, ensuring all data you exchange with our software is encrypted and secure.
Our privacy policies and ISO 27001 certifications
Since 2015, Paragin Group has been certified according to the international standard for information security and management, ISO 27001. Paragin Group is certified for all managed technical assets and all software products we offer. This offers you and your users:
- Security of information and data within Paragin’s software, with all data stored within the European Economic Area (EEA);
- Confidence regarding compliance with laws and regulations regarding information security and privacy, both now and in the future;
- A strong technical foundation based on best practices, regularly tested by independent organizations through security and penetration testing;
- Only authorized access to data, both physically and online;
- Continuous monitoring and improvement of processes and procedures.
Sub-processors
Paragin Group engages generic or product specific third-party Sub-processors and partners to help us provide services and software to our customers, partners and users. As a condition of allowing a sub-processor to process personal data, Paragin Group will enter into a written agreement with each sub-processor containing data protection obligations at least as protective as the technical and organizational measures Paragin Group has established itself to protect customer personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
This Sub-processor Overview was last updated on August 20, 2025 and is effective as of September 1, 2025. See below for an overview of changes in this Sub-processor Overview.
Our product specific Sub-processors
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Sentry / Functional Software, Inc. |
| Description/Goal: | Error logging, monitoring and reporting |
| Processing location(s): | Germany |
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Sentry / Functional Software, Inc. |
| Description/Goal: | Error logging, monitoring and reporting |
| Processing location(s): | Germany |
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Sentry / Functional Software, Inc. |
| Description/Goal: | Error logging, monitoring and reporting |
| Processing location(s): | Germany |
| Sub-processor: | ProctorU, Inc. d/b/a/ Meazure Learning |
| Description/Goal: | Remote proctoring partner, SOC 2 Type II compliant |
| Processing location(s): | US-based encrypted servers (AES 256) |
| Sub-processor: | Microsoft Corporation - Azure |
| Description/Goal: | Document storage, Hosting of Specific Services |
| Processing location(s): | Netherlands |
| Sub-processor: | MongoDB, Inc |
| Description/Goal: | Database hosting and management |
| Processing location(s): | Netherlands |
| Sub-processor: | Microsoft Corporation - Azure |
| Description/Goal: | Document storage, Hosting of Specific Services |
| Processing location(s): | Netherlands |
| Sub-processor: | MongoDB, Inc |
| Description/Goal: | Database hosting and management |
| Processing location(s): | Netherlands |
| Sub-processor: | Microsoft Corporation - Azure |
| Description/Goal: | Document storage, Hosting of Specific Services |
| Processing location(s): | Netherlands |
| Sub-processor: | MongoDB, Inc |
| Description/Goal: | Database hosting and management |
| Processing location(s): | Netherlands |
| Sub-processor: | Interconnect |
| Description/Goal: | Datacenter, hosting, hardware management, systems management |
| Processing location(s): | Netherlands |
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Amazon Web Services |
| Description/Goal: | Datacenters and infrastructure |
| Processing location(s): | Netherlands, Germany, Luxembourg |
| Sub-processor: | Cloutive Technology Solutions B.V. |
| Description/Goal: | Infrastructure support partner with access to hosting infrastructure |
| Processing location(s): | Netherlands |
| Sub-processor: | Sentry / Functional Software, Inc. |
| Description/Goal: | Error logging, monitoring and reporting |
| Processing location(s): | Germany |
Paragin Group service specific Sub-processors
To provide our services as a company, the following Sub-processors are used for contact with our organisation. These platforms are never used for student or candidate data.
| Sub-processor | Description/Goal: | Categories of Personal Data | Processing location(s) |
|---|---|---|---|
| Atlassian Corporation | Online documentation and service support system | Name, gender and email address of functional administrators and key users. Potentially personally identifiable data in support tickets. | Within EEA |
| Asana, Inc. | Project Management software | Name, gender and email address of customer contacts, functional administrators and key users. | Within EEA |
| Productboard, Inc. | Roadmap management and disclosure | Name, gender and email address of functional administrators and key users. | Within EEA |
| Zendesk, Inc. | Online documentation, knowledge centers and ticketing system | Name, gender and email address of functional administrators and key users. Potentially personally identifiable data in support tickets. | Within EEA |
Customer specific Sub-processors
To provide additional services within our software products, our software can connect/integrate with other suppliers of the customer to deliver the total solution. The exchange with these parties takes place solely based on the customer's Processor Agreement with these suppliers. An overview of possible integration partners are shown in the overview below.
| Sub-processor category | Categories of personal data |
| Archiving systems | Export of personal data relating to completed assignments to an archiving system in accordance with accreditation requirements. |
| Business Intelligence platforms | Exchange of (non-personal) user/usage data for setting up external dashboards. |
| Career Tests | Exchange of personal data from candidates for the use of the application or career test. |
| CRM | Exchange of personal data from users from and/or to the learning management system. |
| Digital Signing | Exchange of personal data in agreements that must be digitally signed. |
| Exam integrated services | Exchange of identifiable data (i.e., IP addresses) with third party exam question integrations, for example in STEM and math |
| Exam locations (physical) | Exchange of personal data for the test and exam planning, including personal identification documents check. |
| Exam Systems | Exchange of personal data for the test and exam planning and exchange of grades and feedback. |
| Federated Login | Exchange of personal data for identifying and authenticating users. |
| HR systems | Exchange of personal data of employees for the use of the application. |
| Learning Management Systems | Exchange of personal data from users from and/or to the learning management system. |
| Payment Providers | Exchange of (minimized) personal data from candidates for payment processing. |
| Plagiarism Providers | Exchange of (minimized) personal data from candidates and performing plagiarism scans on submitted work. |
| Remote Proctoring | Exchange of personal data, including visual/video, for the test and exam planning and remote proctoring, including personal identification documents check. |
| Student Information Systems | Exchange of personal data from users from and/or to the student information system. |
| Text-to-speech software/services | Exchange of identifiable data (i.e., IP addresses) with third party text-to-speech integrations |
Table of Version and Changes
Due to the nature of our global business and our ongoing efforts to support, facilitate and delight our customers, partners and users, our Sub-processors may change from time to time. For example, we may deprecate a Sub-processor to consolidate and minimize our use of Sub-processors, or we may add a Sub-processor if we believe that doing so will enhance our ability to deliver our software and services in a better or more robust way.
You may receive notifications by email if we update this page to add or replace any Sub-processors, if any of our Sub-processors materially change the services that they provide, or if they change their terms or processing countries. All changes in the Sub-processor Overviews on this page will be tracked in the table below.
| Version | Categorie | Changes made | Effective per |
|---|---|---|---|
| 1.0 | All | Published first version of Sub-processor Overview | 1 September 2025 |
Escrow and Continuity
Paragin Group is a reliable organization with longtime founders/management who have been with the organization since 2000, a long-term vision and business model, and a large and diverse customer base. However, this doesn't always guarantee continued existence of an organization. To safeguard the interests and continuity of our customers and partners, we have established an escrow arrangement aimed at ensuring the continuity and availability of Paragin Group's software.
For this purpose, Paragin Group offers an escrow agreement in a three-way agreement with Escrow4all B.V. Escrow4all is ISO/IEC 27001 certified and is also an Approved Escrow Provider for Microsoft and ICANN, among others.
Annual fees may apply for entering into and maintaining the escrow agreement and continuity guarantee in the name of the client. Customers who choose this option are registered in the Escrow4all portal as a stakeholder and are actively kept informed of the status of the escrow agreement. This safeguards our customers' rights, and Escrow4all is immediately aware of them should the escrow arrangement need to be activated. For more information about the options, please contact us.
Responsible Vulnerability Disclosure
At Paragin Group, we consider the safety and security of our software to be of paramount importance. Despite our commitment to system security, as described above, vulnerabilities can still occur.
If you have discovered a vulnerability in one of our software products, please let us know so we can take action as quickly as possible. We are committed to working with you to best protect our customers, users, partners, and our systems.
In the spirit of responsible disclosure, we ask that you:
- Email your findings to support@paragin.com;
- Do not exploit the identified vulnerability by, for example, downloading more data than necessary to demonstrate the vulnerability or by accessing, deleting, or modifying third-party data;
- A strong technical foundation based on best practices, regularly tested by independent organizations through security and penetration testing;
- Do not share the vulnerability with others until it has been resolved and delete all confidential data obtained through the vulnerability immediately after it has been resolved;
- Do not use physical security attacks, distributed denial of service, spam, or third-party applications; Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. The URL of the affected system and a description of the vulnerability are usually sufficient, but more complex vulnerabilities may be needed.
What we promise in the context of responsible disclosure:
- We will treat your report confidentially and will not share your personal data with third parties without your permission unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
- We will keep you informed of the progress of resolving the problem;
- In communications about the reported problem, we will, if you wish and appreciate this, mention your name as the discoverer;
- If you have reported the problem in accordance with this responsible disclosure statement, we will not take any legal action – we value and appreciate your input;
- As a thank you for your help, we offer a reward for every report of a security vulnerability not yet known to us. The size of the reward is determined based on the severity of the vulnerability and the quality of the report. We strive to resolve issues as quickly as possible and are happy to actively collaborate with anyone who can help us.
The above statement is part of the responsible disclosure initiative to improve software security. Thanks to Floor Terra and coordinatedvulnerabilitydisclosure.org.
More information
We hope this page provides as much information as possible about our approach to information security and privacy protection. However, if you have any additional questions, please email us at support@paragin.com.