🛡️ Student data never leaves India — by architecture, not just policy. See How →
Security Built Into the Architecture

How Ocoviz Protects Every Byte of Student Data

This page explains the technical and operational security measures that protect your school's data — in plain language, without hiding behind vague assurances.

🛡️ Security Status — Current
🔒
Data Encryption
TLS 1.2+ in transit · AES-256 at rest
Active
🇮🇳
Data Localisation
All data hosted within India
Enforced
👤
Role-Based Access
Per-role scoping, no over-sharing
Active
📋
Audit Logging
All access events logged & retained
Active
📜
ISO 27001
Certification in progress
In Progress
🧾
DPDP Act Alignment
Consent & rights workflows active
Active
Security Architecture

Six Pillars That Protect Your School's Data

Security is not a layer we added later — it shaped every architectural decision from the platform's first design.

🔒

End-to-End Encryption

All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Even in the event of unauthorised infrastructure access, raw data remains unreadable.

TLS 1.2+ · AES-256
🇮🇳

India-Only Data Residency

All production data — student records, attendance, assessments, analytics — is stored and processed exclusively on servers within Indian borders. No cross-border data transfer for any operational purpose.

India-hosted infrastructure
👤

Role-Based Access Control

Access is granted at the most granular level necessary for each role. A class teacher sees their class. A principal sees their school. No user ever receives broader access than their function requires.

RBAC enforced at API level
📋

Full Audit Logging

Every data access event, login, report generation, and modification is logged with a timestamp, user ID, and IP address. Schools can request an audit trail export at any time.

Immutable access logs
🔍

Continuous Monitoring

Automated systems monitor for unusual access patterns, failed authentication spikes, and anomalous data requests — flagging potential incidents before they escalate.

24/7 anomaly detection
🔐

Secure Authentication

Platform access requires secure, credential-based authentication. Session tokens are time-limited and invalidated on logout. We recommend and support multi-factor authentication for all admin accounts.

Session-based · MFA supported
Encryption Detail

What "Encrypted" Actually Means for Your Data

Encryption is one of those words that gets used without explanation. Here's exactly what we encrypt, when, and how.

📡

Data in Transit

Every request between your browser or app and our servers is encrypted using TLS 1.2+. This includes attendance submissions, assessment records, parent alerts, and dashboard views.

💾

Data at Rest

All data stored in our databases and file systems is encrypted using AES-256 — the same standard used by banks and government systems. Encryption keys are managed separately from data.

🔑

Key Management

Encryption keys are stored separately from the data they protect and rotated regularly. Access to keys is restricted to a minimal number of authorised Ocoviz infrastructure engineers.

🗄️

Database Isolation

Each school's data is logically isolated at the database level. Cross-school data access is prevented at the architecture layer — not just by application-level controls.

Data Journey — Fully Encrypted
1
Teacher enters attendance
Encrypted immediately at device
2
Transmitted via TLS 1.2+
Secure channel — unreadable in transit
3
Received by India-hosted server
Never routed outside Indian borders
4
Stored with AES-256 encryption
Unreadable without decryption key
5
Accessed only by authorised role
RBAC enforced at API layer
6
Every access event logged
Immutable audit trail retained
Role-Based Access Control

Who Can Access What — Enforced at the System Level

Access control in Ocoviz is not a setting that admins configure — it's enforced at the API layer for every single data request.

RoleData Access ScopeScope LevelData Encrypted
Class Teacher Student profiles, attendance, assessments, and risk signals for their assigned class(es) only Class-level Yes
Subject Teacher Performance and assessment data for students in their assigned subject sections only Subject-level Yes
HOD / Coordinator Aggregated and individual data across classes within their department or grade band Department Yes
Principal Full visibility across the school — every class, subject, and staff reporting data School-level Yes
Trustee / Administrator Institutional KPIs and compliance reporting across campuses — no granular student drill-down by default Governance Yes
Parent Their own child's attendance, performance, and progress updates only — no other student data Child-only Yes
Ocoviz Staff Restricted, logged access for support and maintenance only — requires explicit authorisation per request Restricted Yes
Incident Response

What Happens If Something Goes Wrong

No system is invulnerable. What matters is how quickly and transparently we respond. Here's our incident response protocol.

1

Detection

Automated monitoring flags anomalies in real time — unusual access patterns, login spikes, or unexpected data requests.

Continuous
2

Containment

Affected systems are isolated immediately. Suspicious sessions are terminated and credentials invalidated within minutes of confirmation.

Within 30 minutes
3

School Notification

Affected school administrators are notified directly with a clear explanation of what occurred, what data was involved, and what we've done.

Within 24 hours
4

Resolution & Review

Root cause analysis completed, remediation applied, and a written post-incident report shared with affected schools.

Within 72 hours
Compliance Status

Where We Stand — Honestly

We believe in being transparent about our compliance status — not just listing certifications we're working toward as though they're done.

🇮🇳

DPDP Act 2023 — India

Consent management, data subject rights (access, correction, deletion), and breach notification workflows are actively aligned with India's Digital Personal Data Protection Act 2023.

✓ Implemented
🏫

CBSE Compliance Alignment

Report formats, CCE assessment structures, attendance terminology, and data retention standards are built around CBSE conventions from the ground up.

✓ Implemented
🛡️

ISO 27001 — Information Security

We are actively working toward formal ISO 27001 certification as we scale. Our internal controls and policies are structured to meet this standard ahead of certification.

⏳ In Progress
👶

COPPA / Children's Data Protection

Ocoviz does not collect data directly from children. Student data flows exclusively through authorised school accounts, in line with children's data protection principles globally.

✓ Implemented
📱

Google Play Data Safety

Our mobile app's data safety declarations accurately reflect our data collection, sharing, and security practices as required by Google Play Store policy.

✓ Declared
🇪🇺

GDPR — Privacy by Design

While Ocoviz primarily serves Indian schools, our data architecture follows GDPR's Privacy by Design principles — minimal data collection, purpose limitation, and user rights by default.

✓ Architecture-level

Have a Specific Security Question?

Our team is happy to walk your IT coordinator or trustees through our architecture in a 20-minute technical briefing — no question is off-limits.