Mamata
Technical Lead
Student data is uniquely sensitive. We don’t have certifications to wave around yet, so this is what we’re actually doing — and why.
Student data is uniquely sensitive. It’s about minors. It includes addresses, parent contact details, medical information, exam history, attendance patterns, and bus routes. A breach isn’t just a regulatory event — it puts children at risk.
We’re a young company. We don’t have a wall of compliance certifications to flash, and we’d rather not pretend otherwise. What we do have is a clear set of design principles, and a roadmap to formal certification as we grow. Here’s where we are.
Every user has a role — admin, teacher, parent, student, accountant, librarian, transport coordinator. Every API endpoint checks role and tenant on every call. A teacher can’t see another teacher’s class. A parent can’t see another family’s data, even by guessing IDs.
Every read of a student record, every grade change, every fee adjustment is logged with user, IP, device and timestamp. Logs are append-only and shipped to a separate AWS account, so a compromised admin can’t cover their tracks.
EduPlux is a data processor, not a data controller. The school owns its data. We’ll never use student data to train AI models. We’ll never sell it. And institutions can export everything in CSV or JSON at any time, no questions asked.
We’re working towards SOC 2 Type II and ISO 27001 certification as part of our roadmap. We’ll publish progress publicly and won’t claim the badges before they’re earned. If you’re evaluating us and want to see our security architecture in detail, write to us — we’ll send the deck.
“We’d rather show you the design and let you judge, than wave a certificate and ask you to trust it.”
Written by
Technical Lead
Technical Lead at EduPlux. Mobile-first engineer focused on the Indian education stack.
We're onboarding our first cohort of schools and colleges. If you'd like an early look, get in touch.