Loading...
Loading...
Student data is our most critical responsibility. Every layer of Alfanumrik is designed with defense-in-depth security principles.
Built on battle-tested infrastructure with encryption at every layer.
Global CDN with edge functions for minimal latency. Server-side rendering and static generation for performance and SEO.
Managed PostgreSQL with Row Level Security policies on every table. Real-time subscriptions with policy enforcement.
Primary database and edge functions deployed in the Mumbai (ap-south-1) region for low-latency access across India.
AES-256 encryption at rest for all database storage. TLS 1.3 for all data in transit. No unencrypted data paths.
Modern authentication standards with server-side enforcement.
Proof Key for Code Exchange (PKCE) for secure OAuth flows. No client secrets exposed to the browser.
Short-lived JWT access tokens with secure refresh token rotation. Tokens contain role and permission claims.
All sensitive operations validate sessions server-side. No client-side-only authentication checks for protected resources.
Role-Based Access Control with student, teacher, parent, admin, school_admin, and super_admin roles across 26 granular permissions.
Defense-in-depth data protection from the database to the API to the UI.
RLS policies on all database tables ensure users can only access their own data. Enforced at the database level, not application level.
Personally identifiable information (names, emails, phone numbers) is encrypted at the field level using application-layer encryption.
All admin actions, data access events, and configuration changes are logged with timestamps, actor IDs, and action details.
Full compliance with the Digital Personal Data Protection Act, 2023 — consent management, data principal rights, and grievance redressal.
Every user sees only what they need. Every request is verified.
Strict role separation: students, teachers, parents, and admins each see only what they need. No role escalation possible.
Every resource has an owner. Ownership is checked on every read, write, and delete operation at both API and database levels.
Distributed rate limiting via Redis protects against abuse. Per-user, per-endpoint, and global rate limits with sliding windows.
Automated bot detection and CAPTCHA challenges for suspicious activity. Protects sign-up, login, and API endpoints.
AI-specific security measures to protect against emerging threats.
Multi-layer input sanitization and system prompt hardening prevent prompt injection attacks against the AI tutor.
All AI outputs pass through content filters for age-appropriateness, accuracy, and safety before reaching students.
Server-side validation of all XP awards, streak calculations, and leaderboard entries. No client-side trust for gamification.
Each AI tutoring session is isolated. No cross-session data leakage between students. Conversation history is per-user and encrypted.
Our security practices are validated against international standards.
Additional protections for students under 13 and all minor users.
Verified parental consent is required before account creation for students under 13, in compliance with DPDPA child data provisions.
We collect only the minimum data necessary for the learning experience. No unnecessary profiling or behavioral tracking.
Alfanumrik will never show advertisements to students or sell student data to any third party, period.
Transparent, rapid response protocols for security incidents.
Any confirmed data breach affecting student data will be disclosed to affected users and relevant authorities within 24 hours.
Automated error classification and escalation. Critical security events trigger immediate alerts to the security team.
Complete, immutable audit trail of all security events, access patterns, and administrative actions for forensic analysis.
For security concerns or to report a vulnerability, contact our security team at security@alfanumrik.com.