Turnitin & GDPR


Having stood at the forefront of academic integrity solutions for over 20 years, we are committed to holding our processes and practices to high standards. Complying with the General Data Protection Regulation (GDPR) is no exception.

Since the GDPR came into force in 2018, we have enforced, maintained and continually improved our GDPR compliant privacy practices in order to reassure our customers and users of our services that their data will be processed lawfully, fairly and securely. Answers to some of our most frequently asked questions are below.


Yes. As an ed tech company, we work to ensure that our data protection practices are in line with the GDPR and other applicable global laws. Turnitin employs a Data Protection Officer to oversee the governance of our GDPR practices.

Yes. Under the GDPR, submission content itself is ‘Personal Data’. Turnitin’s database of submissions, which is used in conjunction with other internet sources for comparisons and text matching, is located in the United States. It is therefore necessary and consistent with the contracts and data processing addendums that we execute with customers, to transfer personal data outside the EU to the US in order to perform our services. Transferred data is in encrypted form. Where we use the AWS platform for hosting, data is stored exclusively in the EU (in Frankfurt), but in order to perform the services that data will be transferred to the US. Wholly owned group companies of Turnitin process data in ‘third countries’ (countries outside the EU or with no current adequacy decision) and only Turnitin employees with the need for access to such data may process the data in order to perform the services (i.e., for engineering, security or customer support reasons).

In July 2023, the European Union adopted an ‘adequacy decision’ under the GDPR that the privacy afforded to personal data when processed in the US provided an essentially equivalent level of protection as it receives in the EU, subject to a US organisation certifying to the EU-US Data Privacy Framework (“DPF”) and adhering to the principles within the DPF. Turnitin’s DPF certification may be reviewed here. Turnitin will also continue to enter into the European Commission’s Standard Contractual Clauses (SCCs) with its customers. The SCCs are applicable to all Turnitin group companies that may process Personal Data. This means that our group companies also are parties to the SCCs and are bound by their provisions, which provide additional safeguards, risk management, and comfort for our customers.

Yes. Switzerland and the UK elected to rely upon the DPF subject to organizations certifying to the DPF principles under relevant domestic law. Turnitin and Examsoft adhere to the DPF principles pursuant to both the UK and Swiss legislation. UK and Swiss customers therefore may rely upon the DPF. Turnitin’s adherence to the UK and Swiss requirements may be viewed here .

Thanks to the approval of the DPF, the European Commission has determined that surveillance laws in the US pose no significant risk to the data of Europeans processed in the US.Surveillance laws exist to counter criminal (especially terrorist) activities, and are practically applied to data suspected to be foreign intelligence information. In Turnitin’s opinion, the likelihood of a US law enforcement agency accessing the data our customers share and Turnitin processes is extremely low. No such requests have been made to Turnitin since Turnitin was founded over 25 years ago.Recently, the US government has taken previously unprecedented steps to enshrine the importance of data privacy, and has enacted new laws aimed at providing additional rights to individuals regarding their data, including: (1) binding protections that limit US intelligence agencies' access to data to what is necessary and proportional to preserve national security; (2) enhanced control of US intelligence services' actions to ensure compliance with surveillance activity restrictions; and (3) the formation of an independent and impartial redress structure, including a new Data Protection Review Court, to review and resolve concerns against US national security officials accessing personal data.

Turnitin regularly updates its technical and organisational measures which exist to protect the security of the processed personal data, in accordance with Art.32 GDPR. These measures include: SOC2 certification, sophisticated firewalls, TLS network encryption, encryption of data (in transit and at rest), and appropriate policies, training,and physical security measures. Turnitin’s current technical and organisational measures are available both in the applicable annex of the SCCs and upon request from your Account Manager.

Turnitin has implemented processes to handle a data subject’s rights to access, deletion, and rectification of their Personal Data in accordance with the GDPR. Generally, the customer, as data controller, must approve (or deny) such requests subject to the provisions of the GDPR.

Turnitin implements and maintains a Data Breach Notification Policy that is consistent with GDPR requirements and will adhere to in the event of a breach.

Customer queries may be directed to Turnitin's Data Protection Officer at: DPO@turnitin.com

Copyright © 2024 Turnitin, LLC. All rights reserved. Privacy Pledge