Trust centre

Data residency by country

• Singapore tenants: hosted in AWS Singapore (ap-southeast-1), PDPA-aligned, named Data Protection Officer per tenant.
• Bangladesh tenants: hosted in AWS Singapore with optional Mumbai standby, aligned with Bangladesh Data Protection Act draft requirements.
• Nepal tenants: hosted in AWS Singapore with daily encrypted backups in a second region.
• India tenants: hosted in AWS Mumbai (ap-south-1), DPDP Act aligned, data fiduciary contract template available.

Access control

Role-based access with least-privilege defaults. Every admin action is logged with actor, timestamp, IP and previous/new value. Audit logs are retained for 7 years for Singapore and 5 years elsewhere.

Backups & recovery

Encrypted daily snapshots with 35-day retention, cross-region copies, and a documented restore drill executed quarterly with RTO 4 hours and RPO 24 hours.

Sub-processors

Full list available on request and updated at every contract renewal. Schools are notified 30 days in advance of any change to sub-processors handling personal data.

API & integration security

EduGradUP exposes a documented REST API for SIS, accounting and identity integrations. Authentication uses OAuth 2.0 (authorization-code and client-credentials flows) plus scoped API keys that you can rotate yourself from Setup → Developers. Every key is least-privilege and limited to named modules.

• Transport: TLS 1.2+ enforced; HSTS on all endpoints; no plaintext API access.
• Webhooks: every payload is signed with an HMAC-SHA256 signature so your endpoint can verify authenticity before processing.
• Rate limiting: per-key throttling with 429 back-off headers to protect tenant data and availability.
• Secrets: API secrets are shown once at creation, stored hashed, and revocable instantly; key rotation does not require downtime.

Certifications & evidence

We share proof, not just claims. Available the same day under a mutual NDA:

• ISO 27001 Statement of Applicability and ISMS audit scope.
• SOC 2 Type II bridge letter (full report on completion of the current observation window).
• Latest independent penetration-test executive summary (OWASP Top 10 / ASVS Level 2).
• Data-flow diagrams, sub-processor register and business-continuity / DR test results.

Security questionnaire

IT teams do not need to start from a blank questionnaire. Our trust pack ships pre-answered SIG-Lite and CAIQ (CSA STAR) responses, plus a VPAT-style accessibility statement. Send your own template to security@schoolsoftwareindia.com and we return it completed, typically within two business days, with no third-party hand-off.

GDPR & data-protection law

For European school groups and international schools, EduGradUP acts as a data processor under a Data Processing Addendum that incorporates the EU Standard Contractual Clauses.

• Lawful basis (Art. 6): processing limited to documented school instructions; no secondary use or advertising.
• Privacy by design (Art. 25): least-privilege roles, data minimisation and encryption on by default.
• Processor obligations (Art. 28): sub-processor transparency, audit rights and breach assistance contractually committed.
• Security of processing (Art. 32): encryption in transit (TLS 1.2+) and at rest (AES-256), tested resilience and restore drills.
• Data-subject rights: export and right-to-erasure honoured within 30 days; parent/student data deletable per record.

Reporting a vulnerability

Email security@schoolsoftwareindia.com. We acknowledge within 24 hours and have a published 90-day coordinated-disclosure policy. We do not pursue legal action against good-faith security research.