Security & Compliance
Exam Integrity by Design
Exam evaluation security requires more than encryption — it requires evaluator anonymity, identity verification, tamper-proof audit trails, and role-based access control at every layer. MAPLES OSM is built with security as a foundational principle, not an afterthought, ensuring that every mark is defensible and every action is traceable.
Core Security Features
Evaluator Anonymity
Answer scripts are stripped of all student identity before distribution. Evaluators see only a system-generated script ID — never the student's name, roll number, or institution. Scripts are distributed randomly, preventing any evaluator from selecting specific scripts.
Face Recognition Proctoring
Continuous face verification during evaluation sessions. The system captures the evaluator's face at login and periodically verifies identity throughout the marking session. Any mismatch triggers an alert and session lock — ensuring the registered evaluator is the one actually marking.
OTP Authentication
Multi-channel OTP delivery via SMS and email. Every login requires OTP verification in addition to credentials. Session tokens expire after configurable inactivity periods. Failed OTP attempts trigger account lockout with admin notification.
Role-Based Access Control
11 specialized roles with granular permissions: Scanner Operator, Evaluator, Moderator, Chief Examiner, Subject Coordinator, Department Admin, Exam Controller, QC Reviewer, Result Processor, System Admin, and Student. Each role sees only the data and actions relevant to their function.
Complete Audit Trail
Every action on the platform is logged — marks awarded, annotations placed, scores modified, scripts reassigned, moderation decisions, login times, and session durations. Audit logs are immutable and RTI-ready, providing a complete forensic record for any script.
Encrypted Storage
All data transmitted over HTTPS with TLS encryption. Scanned answer sheets stored in dual locations — local station storage and Cloudflare R2 cloud storage. JWT-based API authentication with token rotation. Database connections encrypted at rest and in transit.
Tamper Detection & Prevention
- Assignment-based access — evaluators can only view scripts explicitly assigned to them
- Transaction isolation — concurrent evaluations on the same script are handled with database-level isolation
- Score modification logging — every mark change records the previous value, new value, timestamp, and user
- Session binding — evaluation sessions are tied to specific IP addresses and device fingerprints
- Automatic session termination on suspicious activity patterns
- Immutable submission records — once an evaluation is submitted, the original marks are preserved even if modifications are made during moderation
Authentication & Storage
Bcrypt Password Hashing
All passwords hashed with bcrypt using adaptive cost factor. Plaintext passwords never stored or logged anywhere in the system.
JWT Authentication
Stateless API authentication with JSON Web Tokens. Short-lived access tokens with refresh token rotation for session management.
Brute Force Protection
Progressive lockout on failed login attempts. Account locks trigger admin notifications with IP address and attempt details.
Dual Backup Storage
Every scanned page and evaluation record exists in two independent storage locations. If one fails, the other serves as a complete backup.
Security that stands up to scrutiny
Schedule a security walkthrough to see evaluator anonymity, face recognition, audit trails, and RBAC in action.