This page explains the technical and operational security measures that protect your school's data — in plain language, without hiding behind vague assurances.
Security is not a layer we added later — it shaped every architectural decision from the platform's first design.
All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Even in the event of unauthorised infrastructure access, raw data remains unreadable.
TLS 1.2+ · AES-256All production data — student records, attendance, assessments, analytics — is stored and processed exclusively on servers within Indian borders. No cross-border data transfer for any operational purpose.
India-hosted infrastructureAccess is granted at the most granular level necessary for each role. A class teacher sees their class. A principal sees their school. No user ever receives broader access than their function requires.
RBAC enforced at API levelEvery data access event, login, report generation, and modification is logged with a timestamp, user ID, and IP address. Schools can request an audit trail export at any time.
Immutable access logsAutomated systems monitor for unusual access patterns, failed authentication spikes, and anomalous data requests — flagging potential incidents before they escalate.
24/7 anomaly detectionPlatform access requires secure, credential-based authentication. Session tokens are time-limited and invalidated on logout. We recommend and support multi-factor authentication for all admin accounts.
Session-based · MFA supportedEncryption is one of those words that gets used without explanation. Here's exactly what we encrypt, when, and how.
Every request between your browser or app and our servers is encrypted using TLS 1.2+. This includes attendance submissions, assessment records, parent alerts, and dashboard views.
All data stored in our databases and file systems is encrypted using AES-256 — the same standard used by banks and government systems. Encryption keys are managed separately from data.
Encryption keys are stored separately from the data they protect and rotated regularly. Access to keys is restricted to a minimal number of authorised Ocoviz infrastructure engineers.
Each school's data is logically isolated at the database level. Cross-school data access is prevented at the architecture layer — not just by application-level controls.
Access control in Ocoviz is not a setting that admins configure — it's enforced at the API layer for every single data request.
No system is invulnerable. What matters is how quickly and transparently we respond. Here's our incident response protocol.
Automated monitoring flags anomalies in real time — unusual access patterns, login spikes, or unexpected data requests.
ContinuousAffected systems are isolated immediately. Suspicious sessions are terminated and credentials invalidated within minutes of confirmation.
Within 30 minutesAffected school administrators are notified directly with a clear explanation of what occurred, what data was involved, and what we've done.
Within 24 hoursRoot cause analysis completed, remediation applied, and a written post-incident report shared with affected schools.
Within 72 hoursWe believe in being transparent about our compliance status — not just listing certifications we're working toward as though they're done.
Consent management, data subject rights (access, correction, deletion), and breach notification workflows are actively aligned with India's Digital Personal Data Protection Act 2023.
✓ ImplementedReport formats, CCE assessment structures, attendance terminology, and data retention standards are built around CBSE conventions from the ground up.
✓ ImplementedWe are actively working toward formal ISO 27001 certification as we scale. Our internal controls and policies are structured to meet this standard ahead of certification.
⏳ In ProgressOcoviz does not collect data directly from children. Student data flows exclusively through authorised school accounts, in line with children's data protection principles globally.
✓ ImplementedOur mobile app's data safety declarations accurately reflect our data collection, sharing, and security practices as required by Google Play Store policy.
✓ DeclaredWhile Ocoviz primarily serves Indian schools, our data architecture follows GDPR's Privacy by Design principles — minimal data collection, purpose limitation, and user rights by default.
✓ Architecture-levelOur team is happy to walk your IT coordinator or trustees through our architecture in a 20-minute technical briefing — no question is off-limits.