Schools handle the most sensitive data on the planet โ children's records. We treat security, DPDP compliance, and uptime as product features, audited every year, never as marketing claims.
Every certificate below is renewed annually by a Big Four or empanelled CERT-In auditor. Reports are available under NDA on request.
Information security management system, audited by BSI India. Renewed annually with quarterly internal reviews.
Security, availability, confidentiality, and processing integrity audited by Deloitte over a continuous 12-month window.
Full Digital Personal Data Protection Act compliance. Designated Data Protection Officer. Consent flows for all student data.
Compliant for international schools serving EU students. Standard contractual clauses and EU representative on file.
Architected to align with India's National Data Policy on storage, classification, and lawful access of personal data.
VAPT testing performed every 6 months by a CERT-In empanelled security auditor. Findings tracked to closure within 30 days.
Encryption, residency, and access control at every layer of the stack.
Every byte of student, fee, and parent data is encrypted with AES-256 at rest. All connections use TLS 1.3 with perfect forward secrecy. Encryption keys are managed in AWS KMS with hardware security modules (FIPS 140-2 Level 3).
All AskCampus data is stored exclusively in the AWS Asia Pacific (Mumbai) region โ ap-south-1. Backups replicate within India to AWS Hyderabad. Your data never leaves Indian soil unless you explicitly request a cross-border export.
Granular permissions for principals, teachers, accountants, and parents. Every action is logged with user, IP, device, and timestamp โ exportable as a CSV audit trail for your auditors and trustees.
Real engineers, real runbooks, real on-call rotations โ not a status page promise.
Datadog and PagerDuty watch 1,400+ metrics across infrastructure and application layers. Two-engineer on-call rotation, 24/7, 365 days.
Documented runbooks for 47 incident types. Customer notification within 15 minutes of confirmed Sev-1. Public RCA within 5 working days.
Hourly snapshots, daily full backups, 35-day retention. Tested DR drill every quarter with a documented RPO of 5 minutes and RTO of 60 minutes.
The DPDP Act 2023 isn't a checkbox for us โ it's how we designed consent, retention, and breach notification from the ground up.
We collect only the data your institution needs to operate โ and we make it easy for parents and students to exercise their rights under DPDP. Our Data Protection Officer is contactable directly at dpo@askcampus.io.
Public responsible-disclosure programme on HackerOne. Rewards from โน5,000 (low) to โน5,00,000 (critical). 84 valid reports closed since 2023.
status.askcampus.io shows real-time health of every service, region-by-region. Subscribe via email or RSS for incident updates.
SOC 2 Type II report, ISO 27001 certificate, VAPT summary, and pen-test letters available under NDA from your account manager.
"Our IT committee asked for ISO 27001, SOC 2, and DPDP DPA โ AskCampus had all three in our inbox by Monday morning. That doesn't happen with most vendors."
"As a CBSE+IB school we host EU-citizen children. AskCampus's GDPR-ready DPA and EU representative made our parents' lawyers comfortable in one call."
"Their CISO got on a Sunday call when our trustees had questions. That's the moment we knew this wasn't a typical SaaS vendor."
Every framework below has a current letter of attestation on file with our compliance team. Auditor names, scope statements, and last-audited dates are listed verbatim โ exactly what an empanelled auditor or trustee committee would see in our SIG questionnaire.
Our Information Security Management System covers the entire AskCampus SaaS platform โ Mumbai primary, Hyderabad DR, all engineering offices, and every laptop fleet. BSI India performs the annual surveillance audit and we run our own quarterly internal review. The audit report is downloadable under NDA from your account manager.
Deloitte India audits our platform continuously over a rolling twelve-month observation window covering five Trust Services Criteria. The current attestation report (period 1 Apr 2025 โ 31 Mar 2026) carries a clean opinion with zero exceptions. Annual addressable audit costs over โน1.4 crore โ passed entirely as a customer benefit.
Full Digital Personal Data Protection Act compliance with a designated Data Protection Officer (Ms. Anu Subramaniam, dpo@askcampus.io). Consent receipts, granular parental consent for under-18 users, configurable retention windows by data category, and a 72-hour breach notification SLA are all wired into the product, not added as documentation.
For our IB and IGCSE customers serving EU-citizen children, we sign Standard Contractual Clauses, maintain an EU-based representative (Mannheim, Germany), and keep an Article 30 record of processing activities. Cross-border transfers default to "off" โ explicit institution sign-off is required to enable any data flow outside India.
Vulnerability assessment and penetration testing performed every six months by a CERT-In empanelled auditor (currently SISA Information Security). All Sev-1 and Sev-2 findings tracked to closure within 30 days; the closure letter is shared with customers on request. Last audit cycle closed with zero outstanding Sev-1 findings.
We map every internal control to the NIST Cybersecurity Framework 2.0 across the six functions โ Govern, Identify, Protect, Detect, Respond, Recover. Current self-assessed maturity is Tier 4 (Adaptive) on five of six functions, Tier 3 (Repeatable) on Govern. The full mapping spreadsheet is shared with prospects under NDA.
From the moment a parent taps "Pay fees" on the mobile app to the moment a backup tape lands in our Hyderabad DR region โ the four stops every byte makes. No surprise stops in Singapore, Frankfurt, or Virginia.
Browser or mobile app initiates the request. TLS 1.3 with perfect forward secrecy is enforced before any payload leaves the device. Connection is pinned to *.askcampus.io โ no fallback to weaker ciphers, no permissive HTTPS.
Request terminates at our AWS Asia Pacific (Mumbai) ap-south-1 edge โ three availability zones, multi-AZ load balancers, IST-aligned ops team. The originating customer tenant is identified, request is signed, and routing decisions are made entirely inside India.
Data lands in tenant-isolated PostgreSQL and S3 with AES-256 at rest, FIPS 140-2 Level 3 HSM-backed KMS keys rotated every 90 days. Aadhaar, PAN, and bank account fields receive an additional layer of application-level field encryption.
Hourly snapshots and daily fulls replicate asynchronously to AWS Hyderabad (ap-south-2) over a private VPC peering link. Retention is 35 days. Quarterly DR drills failover the entire stack inside a 60-minute RTO with a 5-minute RPO.
Certifications are necessary but not sufficient. The day-to-day security playbook below is what actually keeps the breach count at zero across seven years of operation. Every item runs on a published schedule with documented owners.
Two-person on-call rotation in our Hyderabad SOC, backed by Datadog SIEM and PagerDuty escalation. 1,400+ metrics watched continuously. Mean time to acknowledge: 4 minutes. Sev-1 escalation reaches the CISO inside 15 minutes, day or night.
Documented runbooks for 47 incident classes, rehearsed quarterly. Customers receive a confirmed Sev-1 notification within 15 minutes, an interim update every 30 minutes, and a public RCA within five working days. Bilingual (English + Hindi) comms by default.
Every quarter we failover the full production stack from Mumbai to Hyderabad with real customer load on synthetic tenants. RPO is measured at 5 minutes, RTO at 60 minutes. The post-drill report is reviewed by the CISO and shared with enterprise customers.
Every employee โ engineering, sales, support, legal โ receives a monthly simulated phishing email from our internal red team. Click-rate target is <3%; current 12-month rolling average is 1.4%. Click-through triggers automated retraining and SOC alert.
Public responsible-disclosure programme on HackerOne since 2023. Rewards range from โน5,000 (Low) to โน5,00,000 (Critical). 84 valid findings processed to date with a 9-day median time to fix. Hall of Fame published on our trust portal.
Every sub-processor โ payment gateways, SMS providers, cloud, observability tools โ passes an annual vendor security assessment. Vendors that fail to renew SOC 2 / ISO 27001 are replaced inside one quarter. The full sub-processor list is published on our trust portal.
Every action a user performs โ viewing a fee balance, downloading a marksheet, exporting a parent list โ is recorded with user, IP, device, and timestamp on a write-once log retained for seven years.
AskCampus ships with 14 default roles modelled on real Indian school structures โ Trustee, Principal, Vice Principal, Head Teacher, Class Teacher, Subject Teacher, Accountant, Admissions Officer, Front Office, Transport In-Charge, Hostel Warden, Librarian, Parent, Student. Every role can be cloned and customised at the institution level without touching production code or filing a support ticket.
The compressed version of our standard SIG-Lite response. If something below needs more depth โ a data flow diagram, a sub-processor list, an incident statistic โ your account manager can get it to you under NDA inside one working day.
Primary copy lives in AWS Asia Pacific (Mumbai) ap-south-1 across three availability zones. Async-replicated backups live in AWS Hyderabad ap-south-2. No data ever leaves Indian soil unless you explicitly enable the cross-border export feature on the Scale plan, which is off by default.
A standing list of 9 named SREs and 2 named DBAs, all India-resident background-checked employees. Production access requires SSO + hardware-key 2FA + just-in-time approval from a second engineer, with every keystroke recorded to a separate immutable audit stream we cannot edit.
Our DPDP-aligned customer SLA is breach notification within 72 hours of confirmation. In practice, our last three customer-impacting Sev-1 incidents (none of which involved data exposure) were communicated within 22, 14, and 9 minutes respectively. We err heavily on the side of telling you fast.
Yes. The ISO 27001 certificate is downloadable from our public trust portal. The SOC 2 Type II report and the CERT-In VAPT closure letter require a one-page mutual NDA, which your account manager can turn around in one working day.
Yes โ Google Workspace, Microsoft Entra ID (Azure AD), Okta, and any SAML 2.0 / OIDC provider on Scale plan. Group-to-role mapping is automatic. SCIM 2.0 user provisioning and de-provisioning is supported, so off-boarded staff lose access in real time.
You receive a full export โ students, parents, fee history, marks, attendance, payroll โ in CSV and JSON inside seven days of contract termination, free of charge. After a 30-day grace window, all production and backup data is cryptographically erased and a written attestation is provided.
No. Customer data is never used to train shared or third-party models. AskCampus AI features run on per-tenant inference only, with no cross-tenant signal. Your data does not leave your tenant boundary except for the operational replication described in the data-flow diagram above.
Yes โ on the Scale plan, with seven days' notice, in our staging environment with mirrored production data. We will share the rules of engagement, the sub-processor allow-list, and the escalation contacts. We have hosted 11 customer-led pen-tests in the last 12 months without incident.
Our CISO and Data Protection Officer respond personally to security questionnaires from trustees, IT committees, and parent groups โ usually within one working day.
30-minute walkthrough of the security architecture with a senior solutions consultant. NDA, DPA, and audit reports available on request.
The 12-page guide every Indian institution should read before evaluating an ERP. Includes a vendor question bank, DPDP-readiness checklist, and migration timeline.
Check your inbox in 2 minutes. Add sales@askcampus.io to safe senders.