// Trust & Security Report

    Turnitin, LLC (operating Gradescope) logo

    Turnitin, LLC (operating Gradescope)

    Gradescope: AI-assisted grading and assessment platform for higher education, supporting paper-based exams, homework, programming assignments, bubble sheets, and code autograders. Acquired by Turnitin in 2018.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Vendor domain (gradescope.com/privacy): 'over 160 controls aligned to the SOC2 criteria were designed for Turnitin and audited for effectiveness. Turnitin successfully satisfied 100% of the controls audited.' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Which SOC 2 certification did you achieve? type2 | Most recent SOC2 certification date: 2024-11-26'

    Verify on gradescope.com
    GDPR (compliance posture)
    HELD

    gradescope.com/privacy: 'Turnitin complies with the relevant security standards of the US, EU and Switzerland.' And: 'Where necessary, for data transfers outside the EEA, we utilise the Model Contractual Clauses.' GDPR obligations explicitly adopted per privacy policy.

    Verify on gradescope.com
    FERPA
    HELD

    Vendor domain (gradescope.com/privacy, Legal FAQs): 'Yes. The Turnitin service is compliant with and helps institutions comply with FERPA...' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Family Educational Rights and Privacy Act (FERPA)? Yes'. Turnitin also took the Student Privacy Pledge (FPF/SIIA), referenced in gradescope.com/privacy.

    Verify on learn.microsoft.com
    COPPA
    HELD

    Vendor domain (gradescope.com/privacy, Legal FAQs): 'We comply with all COPPA requirements, and partner with our education institution customers to ensure that parents are always able to exercise their rights under all applicable laws and regulations.' Corroborated by Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Children's Online Privacy Protection Act (COPPA)? Yes'

    Verify on gradescope.com
    Cyber Essentials (UK)
    HELD

    gradescope.com/privacy: 'Cyber Essentials (certified November 2019) — Turnitin obtained the Cyber Essentials certification at the request of several international customers. Turnitin successfully completed a third-party audit of the effectiveness of our basic security controls.' WARNING: Cyber Essentials requires annual renewal; no evidence of renewal post-2019 was found during this assessment.

    Verify on gradescope.com
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Is the app International Organization for Standardization (ISO 27001) certified? No'

    source: learn.microsoft.com
    ISO 27018
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with International Organization for Standardization (ISO 27018)? No'

    source: learn.microsoft.com
    ISO 27017
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with International Organization for Standardization (ISO 27017)? No'

    source: learn.microsoft.com
    HIPAA
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A' — education sector tool; HIPAA is not applicable.

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No'

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Has the app been Cloud Security Alliance (CSA Star) certified? No'

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    Annual PCI DSS assessments are conducted ('Do you carry out annual PCI DSS assessments against the app and its supporting environment? Yes') but no PCI DSS certification is claimed. Assessment only, not certification.

    source: learn.microsoft.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification found on any Turnitin or Gradescope domain.

    HITRUST CSF
    NOT CONFIRMED

    Turnitin self-attestation to Microsoft (updated Oct 23 2025): 'Does the app comply with Health Information Trust Alliance, Common Security Framework (HITRUST CSF)? N/A'

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States, Germany, Australia (per Microsoft attestation). Privacy policy notes Gradescope data can be processed in Europe, Canada, Australia, or United States depending on institution preference, except handwritten formula recognition which requires US processing.

    AI training posture for Gradescope is unclear. The Terms of Service grant Turnitin a 'royalty-free, sublicensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license' to use User Content, with a carve-out: Educational Records may be used 'solely on an aggregated, de-identified basis and will not share such information with third parties.' Gradescope's AI-assisted grading feature groups similar student answers using AI, which is limited to Institutional plan. No explicit statement on whether student submissions train underlying AI/ML models is present in Gradescope-specific documentation. The Microsoft attestation confirms 'Does the app perform automated decision making, including profiling that could have a legal effect or similar impact? No.' No explicit AI training opt-out is documented for Gradescope.

    // Security controls

    Encryption in transit

    SSL/TLS encryption stated in privacy policy. Microsoft attestation confirms TLS 1.1 or higher supported.

    gradescope.com

    Encryption at rest

    Privacy policy references 'robust physical, digital, and procedural safeguards including SSL encryption, redundant servers and data centers.' At-rest encryption not explicitly confirmed for Gradescope data.

    gradescope.com

    Data hosting

    AWS (Amazon Web Services) confirmed as cloud provider per Microsoft attestation. PaaS model.

    learn.microsoft.com

    Penetration testing

    Annual penetration testing confirmed ('Do you perform annual penetration testing on the app? Yes').

    learn.microsoft.com

    Vulnerability scanning

    Quarterly vulnerability scanning confirmed ('Do you conduct quarterly vulnerability scanning on your app and the infrastructure that supports it? Yes').

    learn.microsoft.com

    Multi-factor authentication (MFA)

    MFA enabled for code repositories, DNS management, and credentials per Microsoft attestation.

    learn.microsoft.com

    Intrusion Detection/Prevention

    IDPS deployed at network perimeter ('Do you have Intrusion Detection and Prevention (IDPS) software deployed at the perimeter of the network boundary supporting your app? Yes').

    learn.microsoft.com

    Incident response

    Formal security incident response process documented. Breach notification to supervisory authorities and individuals within 72 hours confirmed.

    learn.microsoft.com

    Disaster recovery

    Documented disaster recovery plan including backup and restore strategy confirmed.

    learn.microsoft.com

    SSO / LMS integration

    LTI 1.3 and SSO available on Institutional plan. Microsoft Entra ID integration supported.

    turnitin.gradescope.com

    Student Privacy Pledge

    Turnitin took the Student Privacy Pledge (FPF/SIIA), committing not to sell student data or use it for targeted advertising.

    gradescope.com

    // Products & data scope

    Gradescope BasicGrading and assessment

    data: Student submissions (PDFs, instructor-uploaded or student-uploaded), rubrics, grades, comments, personal data (name, email, institution)

    Free plan for individual instructors. Includes rubric management, PDF uploads, assignment statistics, regrade requests. No AI features. No LMS integration.

    Gradescope InstitutionalGrading and assessment (enterprise)

    data: Same as Basic plus code submissions, bubble sheet scans, handwritten formula images (US-processed), collaborative grading data

    Custom pricing per institution, per-student. Adds AI-assisted grading, answer grouping, anonymous grading, LMS integration, SSO, admin dashboard, code similarity detection, and dedicated onboarding. AI features include AI-powered roster matching and AI-powered answer grouping.

    // What to watch

    • SOC 2 SCOPE AMBIGUITY: The primary SOC 2 Type 2 evidence (cert date 2024-11-26) comes from Turnitin's self-attestation for the Microsoft Teams integration, not Gradescope specifically. The vendor-domain privacy policy confirms Turnitin's SOC 2 audit but does not specify the Type or scope. Buyers should request the SOC 2 report directly to confirm Gradescope is in scope.
    • CYBER ESSENTIALS RENEWAL: Cyber Essentials certification issued November 2019; annual renewal is required. No evidence of renewal was found post-2019. This cert may be lapsed.
    • AI TRAINING POSTURE UNCLEAR: The ToS grants Turnitin a broad perpetual license over User Content. Educational Records are carved out to 'aggregated, de-identified basis only.' However, no explicit Gradescope-specific policy states whether student submissions are used to train AI models. This is a gap for institutions uploading sensitive student work.
    • THIRD-PARTY DATA SHARING INCIDENT: Stanford Internet Observatory research found that Gradescope previously sent student PII (names, emails, grades, instructor comments) to FullStory via embedded analytics scripts. Remediation and current status of third-party analytics data sharing is not confirmed in current documentation.
    • OUTDATED PRIVACY SHIELD REFERENCE: Turnitin's 2018 press materials referenced EU-US Privacy Shield certification. Privacy Shield was invalidated by Schrems II in July 2020. The current privacy policy correctly uses Standard Contractual Clauses (Model Contractual Clauses), so this is a historical artifact, not a current compliance gap.

    // At a glance

    Pricing model

    Free basic tier (Gradescope Basic for individual instructors); Institutional plan is custom-quoted per university at an estimated $1-$3 per student per course based on third-party sources. No public pricing page for Institutional.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Turnitin, LLC (operating Gradescope)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    gradescope.com

    > Browse all vendor trust reports