Your institution's data is one of its most valuable and sensitive assets. We treat it that way. Every architectural decision we make starts with the question: is this secure?
Every institution's data is cryptographically isolated at the database level. Thread-local tenant context prevents any cross-tenant data access, even in shared infrastructure deployments.
Granular permission system ensures users see and do only what their role requires. 12 pre-built roles plus custom role creation. Object-level permissions for maximum granularity.
All sensitive data is encrypted at rest using AES-256. Encryption keys are managed using an HSM-backed key management system with automatic key rotation policies.
TLS 1.3 enforced for all connections. HSTS headers, certificate pinning, and automatic SSL renewal. All API calls, file uploads, and data transfers are encrypted end-to-end.
Every user action is logged with actor identity, timestamp, IP address, and before/after state. Logs are cryptographically signed and stored in a tamper-proof append-only system.
Secure session handling with configurable timeout policies, concurrent session limits, force-logout capability, and multi-factor authentication support for admin accounts.
Automated daily backups with 90-day retention. Point-in-time recovery for Enterprise plans. Backup verification runs are performed weekly. RTO < 4 hours, RPO < 1 hour.
Always-on DDoS mitigation via Cloudflare Enterprise. Rate limiting, bot detection, and WAF rules protect against common web attacks including SQL injection and XSS.
We don't rely on a single security control. SchoolSyntaxERP employs a defence-in-depth strategy with multiple independent layers of protection, so that a failure of any single layer does not compromise your data.
Full GDPR compliance including right to erasure, data portability, and data processing agreements (DPAs) available for EU institutions.
Our security controls, policies, and procedures are aligned with SOC 2 Type II requirements. Formal certification process in progress for Q3 2026.
Information security management aligned with ISO 27001 framework. Risk assessment, treatment plans, and ISMS in active operation.
Enterprise plans support data residency requirements with dedicated infrastructure in your preferred geographic region.
Each institution is a completely isolated tenant. We use thread-local tenant context at the application layer and row-level security at the database layer. Every database query is automatically scoped to the requesting institution's tenant ID. No shared tables without tenant discrimination. Our architecture has been independently reviewed by security auditors.
SchoolSyntaxERP staff access to tenant data is controlled via the Platform Admin impersonation feature, which requires explicit activation. All such access is logged in full and institutions can view the complete log of any platform-level access to their tenant at any time. Production database access for our engineers requires multi-party approval and is fully logged.
Upon cancellation, you have 30 days to export all your data in standard formats (CSV/JSON). After this period, your data is securely deleted from all our systems, including backups, within 90 days. We provide written confirmation of deletion upon request.
Yes. We conduct annual independent penetration tests conducted by accredited third-party security firms. We also run an ongoing bug bounty program. Critical findings are remediated within 24 hours, high findings within 7 days. Enterprise clients can request a copy of our most recent penetration test summary report.
Yes. MFA via TOTP (Google Authenticator, Authy) is available for all users. For Professional and Enterprise plans, MFA can be enforced at the institution level — preventing any admin or staff member from logging in without a second factor.
Talk to our security team about how SchoolSyntaxERP protects your institution's most sensitive data.