Integrity monitoring built on an architecture that makes privacy violations structurally impossible — not just contractually prohibited.
No video, no audio, no screenshots leave the device during detection. The architecture enforces this — it is not a policy setting.
Face, gaze, and voice analysis compiled to WebAssembly and executed client-side. Vendor cannot intercept what never reaches the server.
Each tenant holds their own ECDSA P-256 private key. ProctorSafe cannot forge or tamper with session payloads.
Network monitoring logs only the domain name and timestamp of a suspect request — never the URL path, request body, or query parameters that could expose exam content or PII.
Most online proctoring tools handle privacy through policy: they promise not to share your data, retain it only for a defined period, and process it in compliant data centres. These are real commitments — but they are enforced by contracts and audits, not by code.
ProctorSafe takes a different approach. The architecture is designed so that the most sensitive data — raw video, audio, facial geometry — is never transmitted to ProctorSafe's servers in the first place. A policy violation requires a bad actor with access; an architectural constraint has no such requirement.
identifies face presence, multiple faces, and face disappearance using a convolutional model running at adaptive frame rates
the GazeEngine estimates whether the candidate is looking at the screen, with debounce logic to suppress transient movements
on browsers that support WebAssembly SIMD, the engine selects a SIMD-optimized build at runtime for higher throughput
Second-speaker detection uses the browser's getUserMedia API to access the microphone. The audio pipeline runs entirely in the browser:
SECOND_SPEAKER_SUSPECTED event is emitted — containing only the timestamp, confidence score, and evidence metrics.What reaches ProctorSafe: a structured event with numeric evidence. No audio samples, no voice recordings.
fetch and XMLHttpRequest to check the request hostname against a domain blocklist (ChatGPT, Claude, Gemini, Copilot, and similar services).| Processing activity | Traditional proctoring | ProctorSafe |
|---|---|---|
| Facial analysis | Cloud: vendor's AI system | In-browser WASM: candidate's device |
| Data subject of analysis | Candidate's biometric data at vendor | Candidate's local device only |
| Video storage | Vendor cloud (months/years) | Not stored (never transmitted) |
| Third-party AI processing | Yes (video → AI service) | No (WASM runs locally) |
Dive deeper with guides from our articles library.
How WebAssembly enables high-performance in-browser proctoring without invasive downloads or kernel-level software.
Read articleRegulatory & complianceHow GDPR Article 25 changes remote assessment design: data minimization, default settings, and what “state of the art” means for proctoring.
Read articleRegulatory & complianceA practical guide to the EU AI Act (Regulation 2024/1689) for education and certification teams using (or evaluating) online proctoring.
Read articleCommon questions about privacy, compliance, and integration.
Try the interactive demo in your browser, or contact us for a walkthrough tailored to your program.