SecuritySchools trust us with their most sensitive data.
Schools trust us with their most sensitive data.
Here's how we earn it.
EduSphere is built multi-tenant from the database layer up. Tenant isolation, role-based access control, encryption, and audit logging are not features we added — they are how the platform works.
🛡️
Multi-tenant data isolation
Every privileged backend query is scoped by the schoolId in your JWT. No code path lets one tenant read another tenant’s rows — not even by guessing IDs. Frontend-supplied IDs are never trusted; the server re-derives the school context from the signed token on every request.
🔑
Role-based access + permission overrides
Nine built-in roles (super, district, school admin, teacher, accountant, librarian, office staff, student, parent) plus per-user permission overrides. A school admin can revoke any granular permission for any staff member without writing code.
🔒
Encryption in transit and at rest
TLS 1.2+ on every connection. Database volumes encrypted with AES-256 at rest. Refresh tokens hashed before storage. We never store payment card data — Razorpay handles PCI scope end-to-end.
☁️
Backups, redundancy & uptime
Hourly point-in-time backups with 30-day retention. Multi-AZ Postgres replication. Target 99.9% monthly uptime; status page reports incidents in real time.
📜
Audit logs for every state change
Logins, password resets, fee receipts, exam grading, permission changes — every privileged action is logged with actor, IP, user agent and metadata. School admins can review their own school’s audit trail; super admins can review platform events.
👥
Strong authentication
Short-lived access tokens with rotated refresh tokens. Forgot-password flows use single-use, time-boxed reset tokens. Google SSO available on Scale; SAML SSO on Enterprise. MFA on the roadmap for 2026.
Compliance & certifications
Where we are today and where we are heading.
SOC 2 Type 1Roadmap · Q4 2026
GDPR-aligned data handlingLive
India DPDP Act readinessLive
PCI scopeOut of scope (Razorpay handles cards)
Subprocessors
Third parties that touch tenant data — listed for transparency.
Amazon Web Services
Hosting, storage, backups · ap-south-1 (Mumbai)
Razorpay
Online payments · India
SendGrid
Transactional email · Global
Cloudflare
DDoS, CDN, WAF · Global
📄
Data processing addendum
Our standard DPA covers controller/processor obligations under GDPR and the India DPDP Act.
View DPA →🔌
Responsible disclosure
Found a vulnerability? Report it confidentially to security@edusphere.app. We respond within one business day.
☁️
System status
Realtime uptime and incident history is published on our public status page.
View changelog →Need a security review or vendor questionnaire?
We're happy to walk your IT and procurement teams through our architecture.
Request a security review