// Trust & Security Report
Turnitin, LLC (operating Gradescope)
Gradescope: AI-assisted grading and assessment platform for higher education, supporting paper-based exams, homework, programming assignments, bubble sheets, and code autograders. Acquired by Turnitin in 2018.
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on gradescope.com“Vendor domain (gradescope.com/privacy): 'over 160 controls aligned to the SOC2 criteria were designed for Turnitin and audited for effectiveness. Turnitin successfully satisfied 100% of the controls audited.' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Which SOC 2 certification did you achieve? type2 | Most recent SOC2 certification date: 2024-11-26'”
Verify on gradescope.com“gradescope.com/privacy: 'Turnitin complies with the relevant security standards of the US, EU and Switzerland.' And: 'Where necessary, for data transfers outside the EEA, we utilise the Model Contractual Clauses.' GDPR obligations explicitly adopted per privacy policy.”
Verify on learn.microsoft.com“Vendor domain (gradescope.com/privacy, Legal FAQs): 'Yes. The Turnitin service is compliant with and helps institutions comply with FERPA...' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Family Educational Rights and Privacy Act (FERPA)? Yes'. Turnitin also took the Student Privacy Pledge (FPF/SIIA), referenced in gradescope.com/privacy.”
Verify on gradescope.com“Vendor domain (gradescope.com/privacy, Legal FAQs): 'We comply with all COPPA requirements, and partner with our education institution customers to ensure that parents are always able to exercise their rights under all applicable laws and regulations.' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Children's Online Privacy Protection Act (COPPA)? Yes'”
Verify on gradescope.com“gradescope.com/privacy: 'Cyber Essentials (certified November 2019) — Turnitin obtained the Cyber Essentials certification at the request of several international customers. Turnitin successfully completed a third-party audit of the effectiveness of our basic security controls.' WARNING: Cyber Essentials requires annual renewal; no evidence of renewal post-2019 was found during this assessment.”
> Show 9 unconfirmed / not-held certifications
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Is the app International Organization for Standardization (ISO 27001) certified? No'
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with International Organization for Standardization (ISO 27018)? No'
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with International Organization for Standardization (ISO 27017)? No'
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A' — education sector tool; HIPAA is not applicable.
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No'
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Has the app been Cloud Security Alliance (CSA Star) certified? No'
source: learn.microsoft.comAnnual PCI DSS assessments are conducted ('Do you carry out annual PCI DSS assessments against the app and its supporting environment? Yes') but no PCI DSS certification is claimed. Assessment only, not certification.
No public evidence of ISO/IEC 42001 certification found on any Turnitin or Gradescope domain.
source: learn.microsoft.comTurnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? N/A'
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States, Germany, Australia (per Microsoft attestation). Privacy policy notes Gradescope data can be processed in Europe, Canada, Australia, or United States depending on institution preference, except handwritten formula recognition which requires US processing.
AI training posture for Gradescope is unclear. The Terms of Service grant Turnitin a 'royalty-free, sublicensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license' to use User Content, with a carve-out: Educational Records may be used 'solely on an aggregated, de-identified basis and will not share such information with third parties.' Gradescope's AI-assisted grading feature groups similar student answers using AI, which is limited to Institutional plan. No explicit statement on whether student submissions train underlying AI/ML models is present in Gradescope-specific documentation. The Microsoft attestation confirms 'Does the app perform automated decision making, including profiling that could have a legal effect or similar impact? No.' No explicit AI training opt-out is documented for Gradescope.
// Security controls
Encryption in transit
SSL/TLS encryption stated in privacy policy. Microsoft attestation confirms TLS 1.1 or higher supported.
gradescope.comEncryption at rest
Privacy policy references 'robust physical, digital, and procedural safeguards including SSL encryption, redundant servers and data centers.' At-rest encryption not explicitly confirmed for Gradescope data.
gradescope.comData hosting
AWS (Amazon Web Services) confirmed as cloud provider per Microsoft attestation. PaaS model.
learn.microsoft.comPenetration testing
Annual penetration testing confirmed ('Do you perform annual penetration testing on the app? Yes').
learn.microsoft.comVulnerability scanning
Quarterly vulnerability scanning confirmed ('Do you conduct quarterly vulnerability scanning on your app and the infrastructure that supports it? Yes').
learn.microsoft.comMulti-factor authentication (MFA)
MFA enabled for code repositories, DNS management, and credentials per Microsoft attestation.
learn.microsoft.comIntrusion Detection/Prevention
IDPS deployed at network perimeter ('Do you have Intrusion Detection and Prevention (IDPS) software deployed at the perimeter of the network boundary supporting your app? Yes').
learn.microsoft.comIncident response
Formal security incident response process documented. Breach notification to supervisory authorities and individuals within 72 hours confirmed.
learn.microsoft.comDisaster recovery
Documented disaster recovery plan including backup and restore strategy confirmed.
learn.microsoft.comSSO / LMS integration
LTI 1.3 and SSO available on Institutional plan. Microsoft Entra ID integration supported.
turnitin.gradescope.comStudent Privacy Pledge
Turnitin took the Student Privacy Pledge (FPF/SIIA), committing not to sell student data or use it for targeted advertising.
gradescope.com// Products & data scope
data: Student submissions (PDFs, instructor-uploaded or student-uploaded), rubrics, grades, comments, personal data (name, email, institution)
Free plan for individual instructors. Includes rubric management, PDF uploads, assignment statistics, regrade requests. No AI features. No LMS integration.
data: Same as Basic plus code submissions, bubble sheet scans, handwritten formula images (US-processed), collaborative grading data
Custom pricing per institution, per-student. Adds AI-assisted grading, answer grouping, anonymous grading, LMS integration, SSO, admin dashboard, code similarity detection, and dedicated onboarding. AI features include AI-powered roster matching and AI-powered answer grouping.
// What to watch
- SOC 2 SCOPE AMBIGUITY: The primary SOC 2 Type 2 evidence (cert date 2024-11-26) comes from Turnitin's self-attestation for the Microsoft Teams integration, not Gradescope specifically. The vendor-domain privacy policy confirms Turnitin's SOC 2 audit but does not specify the Type or scope. Buyers should request the SOC 2 report directly to confirm Gradescope is in scope.
- CYBER ESSENTIALS RENEWAL: Cyber Essentials certification issued November 2019; annual renewal is required. No evidence of renewal was found post-2019. This cert may be lapsed.
- AI TRAINING POSTURE UNCLEAR: The ToS grants Turnitin a broad perpetual license over User Content. Educational Records are carved out to 'aggregated, de-identified basis only.' However, no explicit Gradescope-specific policy states whether student submissions are used to train AI models. This is a gap for institutions uploading sensitive student work.
- THIRD-PARTY DATA SHARING INCIDENT: Stanford Internet Observatory research found that Gradescope previously sent student PII (names, emails, grades, instructor comments) to FullStory via embedded analytics scripts. Remediation and current status of third-party analytics data sharing is not confirmed in current documentation.
- OUTDATED PRIVACY SHIELD REFERENCE: Turnitin's 2018 press materials referenced EU-US Privacy Shield certification. Privacy Shield was invalidated by Schrems II in July 2020. The current privacy policy correctly uses Standard Contractual Clauses (Model Contractual Clauses), so this is a historical artifact, not a current compliance gap.
// At a glance
Pricing model
Free basic tier (Gradescope Basic for individual instructors); Institutional plan is custom-quoted per university at an estimated $1-$3 per student per course based on third-party sources. No public pricing page for Institutional.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Turnitin, LLC (operating Gradescope)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
gradescope.com