Security Policy

Effective Date: 30 March 2026

Platform: Campus 24x7 - School ERP Software

1. Purpose

This Security Policy defines the technical and organizational safeguards implemented to ensure:

  • Confidentiality of institutional and student data
  • Integrity of academic and financial records
  • Availability and reliability of services

2. Scope

Applies to:

  • All users (institutions, staff, students, parents)
  • All systems (frontend, backend, database, infrastructure)
  • All data processed within the platform

3. Infrastructure Security

3.1 Hosting Environment

  • Hosted on Hostinger VPS
  • Isolated production, staging, and development environments
  • Controlled administrative access with least-privilege enforcement

3.2 Server Hardening

  • SSH access via key-based authentication only
  • Root access restricted
  • Firewall (UFW/Nginx rules) configured
  • Unused ports and services disabled

3.3 Network Security

  • Reverse proxy via Nginx
  • Rate limiting and request throttling enabled
  • HTTPS enforced (TLS 1.2+)
  • Protection against brute-force and common network attacks

4. Application Security

4.1 Secure Development Lifecycle

  • Backend: NestJS (modular architecture, validation pipelines)
  • Frontend: React (TypeScript) with strict typing
  • Code reviews and structured deployment process

4.2 Authentication

  • Secure login with bcrypt password hashing
  • Multi-Factor Authentication (MFA) enabled for privileged roles
  • Token-based authentication (JWT)
  • Session expiration and token invalidation

4.3 Authorization

  • Fine-grained Role-Based Access Control (RBAC)
  • Permissions configurable per institution
  • Enforcement at API and service layers

4.4 API Security

  • All endpoints authenticated and authorized
  • Input validation and sanitization
  • Protection against SQL Injection, XSS, and CSRF

5. Data Security

5.1 Data Classification

  • Highly Sensitive: Student personal data, financial records
  • Sensitive: Academic and operational data
  • Non-sensitive: Public information

5.2 Data Storage

  • Stored in MySQL database
  • Tenant isolation enforced via institution-scoped queries
  • Strict query validation middleware

5.3 Encryption

  • Data in transit encrypted (HTTPS)
  • Sensitive fields encrypted where applicable
  • Passwords hashed (bcrypt)

5.4 Backup and Recovery

  • Automated periodic backups
  • Secure storage of backups
  • Regular restoration testing

6. Multi-Tenant Security

  • Logical tenant isolation enforced at application layer
  • All queries scoped by institution ID
  • Middleware-level validation prevents cross-tenant access
  • Regular validation checks for isolation integrity

7. Access Control and Audit

7.1 Internal Access Control

  • Access limited to authorized personnel only
  • Role-based internal access enforcement

7.2 Audit Logging

Comprehensive logging of:

  • Login activity
  • Data creation and modification
  • Permission changes

7.3 Exportable Audit Logs

  • Institutions can access and export audit logs
  • Supports transparency and compliance requirements

8. Monitoring and Logging

  • Centralized managed logging system
  • Real-time monitoring of errors, suspicious activities, and performance anomalies
  • Alerts configured for critical events

9. Incident Response

In case of a security incident:

  1. Detection and validation
  2. Immediate containment
  3. Root cause analysis
  4. Vulnerability remediation
  5. Notification to affected institutions (if required)
  6. Post-incident review and improvement

10. Vulnerability Management

  • Regular dependency updates (Node.js, NestJS, libraries)
  • Security patches applied promptly
  • Periodic vulnerability assessments

11. Third-Party Security

Third-party services include:

  • Hosting provider (Hostinger VPS)
  • Payment gateways
  • Communication providers (SMS and email)

Controls:

  • Minimal data sharing
  • Vendor reliability and security evaluation

12. Data Breach Policy

In case of a confirmed breach:

  • Immediate containment and investigation
  • Impact assessment
  • Notification to affected institutions within reasonable time
  • Implementation of corrective measures

13. Compliance

Aligned with:

  • Information Technology Act, 2000 (India)
  • SPDI Rules, 2011 (Reasonable Security Practices)
  • Industry-standard SaaS security practices

Future alignment:

  • ISO 27001 (planned)
  • GDPR (if applicable)

14. Business Continuity and Disaster Recovery

  • Backup-driven recovery strategy
  • RPO: less than or equal to 24 hours
  • RTO: 4 to 8 hours

15. User Responsibilities

Users must:

  • Maintain credential confidentiality
  • Enable MFA where applicable
  • Avoid credential sharing
  • Report suspicious activity immediately

16. Limitations

Security controls reduce risk but cannot eliminate:

  • Advanced persistent threats
  • Zero-day vulnerabilities
  • User negligence
  • Infrastructure-level failures

17. Policy Updates

  • Policy may be updated periodically
  • Continued platform use implies acceptance

18. Contact

For security concerns or vulnerability reporting:

Email: info@campus24x7.in