INSPERA API POLICY v1.0 (2024-01-16)
This policy sets out the terms that apply when a customer uses, makes contact with or interacts with the external Application Programming Interfaces (here designated as “API”) provided by Inspera.
Note that Inspera can amend this policy from time to time without any prior notice. Therefore, the users shall consult this policy periodically and the most recent version of it shall always be taken into consideration.
The Inspera Assessment API is a set of REST APIs allowing external systems to access a subset of Inspera Assessment functionality using Inspera Assessment user privileges. The functionality provided includes creating and updating Test Events, assigning and removing Learners and Contributors from Test Events, exporting results and responses after marking/grading, as well as user management. The development and update of new APIs is made continuously. All changes and additions to existing APIs, as well as newly developed APIs and API roadmap plans are announced through Inspera’s release notes (available here).
The Inspera APIs are designed based on the following core principles:
- Inspera APIs provide endpoints for pushing and pulling data
- Inspera Webhooks provide outgoing notifications about events in Inspera services
- Both the APIs and the Webhooks are designed to be generally reusable - no tight coupling with external systems:
- Integration layers typically sit between the Inspera API/Webhooks and external services providing any conversion required to ensure system interoperability
- OAuth is used for authentication
- Authorisation is handled through the same core permission model as is used across the rest of the Inspera Assessment service
Authentication and Authorisation
Access to the API is granted through the use of unique API keys or tokens issued by Inspera upon registration. These keys are non-transferable and must be securely stored and used exclusively by the registered user or entity. The users are solely responsible for the confidentiality and proper use of their assigned API keys or tokens. In the event of key compromise or unauthorised use, users must promptly notify Inspera to prevent potential misuse or breaches. The users must refrain from sharing, selling, or otherwise disclosing their API keys or tokens to third parties. Any attempt to manipulate, forge, or bypass authentication mechanisms to gain unauthorised access to the API is strictly prohibited and may result in immediate termination of API access.
Access to specific API endpoints or functionalities is determined by assigned roles and permissions associated with the provided API keys or tokens (for more details, please consult here, under the section “Getting started”). Inspera reserves the right to modify or revoke access levels based on user activity, compliance with policies, or business requirements. Users are responsible for ensuring that their API usage complies with the designated roles and permissions granted by Inspera. Any unauthorised attempts to access restricted resources or misuse of authorised access will be considered a violation of this policy.
Inspera also reserves the right to periodically review and modify access controls, roles, or permissions associated with API keys or tokens. Users will be duly notified of any changes that may impact their access levels or usage.
For the benefit of all users of Inspera’s API, it is imperative that the users adhere to the usage policy of the API’s. This helps to prevent issues with service availability, corruption or damage to data and/or other errors or technical issues.
Note that the general limits regarding Inspera Assessment also apply to the API’s (available here: Limits in Inspera Assessment).
The rate limits defined herein apply per tenant, unless otherwise specified:
- Maximum number of concurrent active requests made against the Inspera API by the same customer entity shall be limited to ten (10) requests - this limit applies across all API user accounts registered to tenants owned by the same customer
- API response time will vary depending on the complexity of the requested operation - for some API’s this will exceed the general timeout limit used in the Inspera Assessment application otherwise (60s)
Users exceeding the above specified request limits will receive an error report or code response indicating that the request limit has been reached and the user shall immediately reduce the usage of the API appropriately. Inspera reserves the right to review and modify request limits based on user activity, service usage patterns, or as necessitated by business requirements. Users will be informed in advance of any planned changes to the rate limits affecting their subscription. Users are expected to utilize the API within the designated limits of their subscription. Intentional or repeated attempts to bypass or abuse rate limitations are strictly prohibited and may result in immediate suspension or termination of API access privileges.
Users accessing the API services provided by Inspera are required to adhere to all policies outlined in the API usage guidelines, including but not limited to authentication, rate limiting, data handling, error handling, documentation, compliance, and legal obligations. Any suspected breach or violation of the API usage policies will be investigated promptly by Inspera to determine the nature, extent, and severity of the breach, involving appropriate resources as necessary.
Non-compliance with API usage policies, misuse, or illegal activities, may result in legal actions pursued by Inspera, seeking remedies available under applicable laws or contractual agreements. Users found liable for damages resulting from deliberate misuse, breaches, or unauthorised activities in violation of the API usage policies may be held accountable for compensatory or punitive damages as permitted by law.
Data Handling and Security
All data transmitted through the API shall be encrypted using industry-standard encryption protocols to ensure secure communication between customers and servers. Inspera is committed to maintaining the confidentiality and integrity of stored data. Sensitive information stored within the system or databases will be encrypted at rest using strong cryptographic measures.
Data handled by the API will be categorised based on its sensitivity, and appropriate measures will be taken to ensure the protection and restricted access of sensitive data. Any data exchanged through APIs may not compromise neither the data subjects (test-takers) nor Inspera itself. Access to sensitive information will be strictly controlled and limited to authorised personnel on a need-to-know basis. Access will be granted based on defined roles and permissions in accordance with the principle of least privilege. Mechanisms to maintain data integrity will be employed to detect and prevent unauthorised tampering or alterations to stored data. Inspera will adhere to a defined data retention policy, specifying the duration for which data will be stored. Data exceeding the retention period will be securely and irreversibly deleted from all available systems or anonymised. Any activity resembling data crawling shall be monitored and investigated; if suspicious, it shall be suspended.
A documented security incident response plan will be invoked to promptly address and mitigate security breaches, including unauthorised access, data leaks, or any other security incidents affecting the API or stored data. Regular security audits, assessments, and penetration testing will be conducted to identify vulnerabilities, assess risks, and ensure compliance with security standards. Remediation of identified issues will be prioritised and acted upon promptly.
The API will provide clear and informative error messages in response to client requests that encounter errors. These messages will be designed to facilitate effective debugging and troubleshooting. In the event of an error, the API will provide relevant error details, including error codes, descriptions, and potential resolution steps, facilitating the client's understanding of the issue. Detailed documentation will accompany error responses, providing the customers with guidance on handling different error scenarios, ensuring a standardized approach to error resolution on the client side.
Documentation and Changes to API’s
The API documentation will provide comprehensive descriptions of all endpoints, including their functionalities, expected input parameters, and response formats. Clear documentation outlining the format of requests and expected responses, including examples and sample payloads, will be made available to facilitate seamless integration and usage by developers.
Inspera continually develops the published API’s, therefore changes to the API’s will be managed through a versioning system. Each distinct version will be clearly identified, and changes between versions will be documented comprehensively, including deprecated features. Unless otherwise noticed, all changes made are backwards compatible. Examples of such changes could be the publishing of new API’s, marking an existing API for deprecation, adding new fields to existing API’s or adding support for new values to existing fields in an API. Deprecated versions will be supported for a reasonable period, allowing users to transition to newer versions smoothly. Users will be notified in advance about the deprecation timeline and provided with guidance for migration.
Inspera will communicate any breaking changes within the API through appropriate channels. This may include email notifications, release notes, or other means of communication to registered users. In general, such notifications will be sent out at least six (6) months in advance. However there may be exceptions for changes that are deemed to not have any user impact (based on historical traffic logs). If an exception is made, the lead time on the notification will be shortened, but in any case not less than thirty (30) days.
Compliance, Applicable Regulations and Terms of Service
Inspera will continuously monitor API usage and associated activities to ensure compliance with legal and regulatory requirements. Non-compliance may result in corrective actions, suspension of access privileges, or legal consequences in accordance with applicable laws. Persistent or severe violations of compliance and legal obligations may lead to termination of API access and services provided to the non-compliant user(s), subject to the discretion of Inspera.
Inspera commits to comply with all applicable data protection and privacy laws, regulations, and standards governing the collection, processing, and storage of user data, including but not limited to GDPR, HIPAA, CCPA, and other relevant frameworks. The API usage and associated services provided by Inspera will align with consumer protection laws, ensuring fairness, transparency, and protection of user rights in accordance with applicable regulations.
Users accessing the API agree to abide by the terms of service established by Inspera. These terms encompass the permissible use of the API, restrictions on abusive behaviour, intellectual property rights, and liability disclaimers. Users are expected to adhere to this policy, which prohibits unauthorised access, abusive usage, disruptive activities, and any other forms of prohibited conduct.