Privacy Policy

Draper Mock Oral Platform — Last Updated: March 28, 2026

This Privacy Policy describes how Draper Mock Oral ("we," "us," or "our") collects, uses, stores, and protects information when you use the Draper Mock Oral Platform ("Platform"). We are committed to safeguarding the privacy of our users and the institutions we serve.

1. Information We Collect

1.1. Information Provided by Institutions

When an institution licenses the Platform, we collect:

• Institution name, contact person name, and contact email address
• Administrator account information (username, email, hashed password)
• Billing and license information

1.2. Information Managed by Institutions

Institutions upload and manage the following data within their isolated environment:

• Resident data: Name, PGY level, email address, training year, status
• Faculty data: Name, email address, department
• Examination content: Scenario documents, question stem images, clinical images
• Examination records: Exam configurations, room assignments, credentials
• Performance data: Scores (pass/marginal/fail), examiner comments, question history

1.3. Information Collected Automatically

• IP address (used for rate limiting login attempts)
• Session identifiers (used to maintain authenticated sessions)
• Audit log entries (login events, administrative actions, timestamps)

1.4. Information We Do Not Collect

• We do not use cookies for advertising or tracking purposes
• We do not collect browsing history, device fingerprints, or behavioral analytics
• We do not collect Social Security numbers, financial information from end users, or medical records

2. How We Use Information

3. Data Isolation and Multi-Tenancy

3.1. Each institution operates in a fully isolated environment. An institution's data — including residents, faculty, content, exams, scores, and credentials — is not accessible to any other institution.

3.2. Tenant isolation is enforced at the database level. All queries are automatically scoped to the requesting institution's environment.

3.3. Platform administrators (Draper Mock Oral staff) do not access institutional data except when explicitly requested for technical support, or as required by law.

4. Data Storage and Security

4.1. Encryption

• Examinee and examiner passwords are encrypted at rest using AES-256-GCM
• Administrator passwords are hashed using bcrypt (one-way, irreversible)
• All data is transmitted over HTTPS (TLS 1.2+)
• File storage uses server-side encryption

4.2. Access Controls

• Role-based access: Examinees, Examiners, Administrators, and Super Administrators each have distinct permission levels
• Examinee credentials are single-use and are consumed on first login
• Examiner credentials expire the day after the exam date
• Administrative sessions expire after 24 hours of inactivity

4.3. Infrastructure

• The Platform is hosted on commercial cloud infrastructure with industry-standard physical and network security
• Database backups are encrypted and retained according to our data retention policy
• File storage (examination content, images) is hosted on encrypted cloud storage

5. Data Sharing

5.1. We do not sell, rent, trade, or otherwise share institutional or user data with third parties for marketing or advertising purposes.

5.2. We may share data with the following categories of service providers, solely to operate the Platform:

• Cloud infrastructure providers (hosting, database, file storage)
• Email delivery services (for sending credential notifications)

5.3. We may disclose data if required by law, regulation, legal process, or governmental request.

6. Data Retention

6.1. Institutional data is retained for the duration of the active license agreement.

6.2. Upon termination of a license, institutions have thirty (30) days to export their data. After this period, data is scheduled for permanent deletion.

6.3. Audit logs are retained for a minimum of one (1) year for security and compliance purposes.

6.4. Expired session records are automatically purged on a regular schedule.

7. Institution Responsibilities

7.1. Institutions are the data controllers for the resident and faculty information they manage within the Platform. We act as a data processor on their behalf.

7.2. Institutions are responsible for:

• Obtaining any necessary consents from residents and faculty for data entry into the Platform
• Complying with their own institutional policies regarding trainee performance data
• Managing user access and credentials within their environment
• Determining the appropriate retention and use of examination scores and records

8. FERPA Considerations

8.1. To the extent that data managed on the Platform constitutes education records under the Family Educational Rights and Privacy Act (FERPA), the Institution is the educational institution responsible for FERPA compliance.

8.2. We act as a "school official" with a "legitimate educational interest" under FERPA, as a service provider to the Institution, and will handle education records in accordance with the Institution's direction and applicable law.

9. Your Rights

9.1. Institutions may request export of all their data at any time by contacting us.

9.2. Individual users (residents, faculty, examiners) should direct data access, correction, or deletion requests to their Institution's administrator, as the Institution controls the data.

9.3. If you believe your data has been handled improperly, you may contact us directly at the address below.

10. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Institution administrators via email at least thirty (30) days before taking effect. The "Last Updated" date at the top of this page indicates when the policy was most recently revised.

12. Contact

For privacy-related questions or requests, contact:
Draper Mock Oral
Email: privacy@drapermockoral.com