Security

Your school’s data is yours. We protect it like it’s ours.

Campustics is multi-tenant by design — every school’s students, fees, marks, and parents live in row-level isolation. Here is exactly how that promise is enforced.

Strict tenant isolation

Every row in our database carries both an organisation id and a school id. Every read and write checks both. A school admin in one organisation can never see, list, search, or accidentally touch data belonging to another organisation — enforced at the service layer, not just the UI.

Role-based access control

Each user's role inside their organisation (Org admin, Principal, Teacher, Accountant, Parent, Student) maps to a permission set. Every page route, every server action, and every export gate checks the active user's permissions before serving data. Org admins can audit role assignments at /settings/team.

Encrypted in transit & at rest

TLS terminates at Vercel for production traffic. The Postgres database is encrypted on disk. Passwords are bcrypt-hashed (cost 10). We never store payment card details — Razorpay handles those under PCI scope.

Brute-force & abuse defences

Sign-in attempts are throttled per email (5 failures in 5 minutes locks the account for 5 minutes). Public endpoints (the admission form, password reset, student search) are rate-limited per IP or per user. Server actions are CSRF-protected by Next.js's origin check.

Full audit trail

Every mutation — a student edit, an attendance save, a fee payment, an invoice cancellation, a logo change, a role assignment — writes an entry to a tenant-scoped audit log. Org admins can search the log at /settings/audit.

What lives where

  • Application: Vercel (Mumbai / Singapore edge regions).
  • Database: Neon Postgres (AWS Mumbai), encrypted at rest, point-in-time backups.
  • Email: Resend (transactional only — receipts, reset links, parent notifications).
  • SMS: Fast2SMS / MSG91 (DLT-compliant routes for India).
  • Payments: Razorpay (no card data ever touches our servers).
  • AI: Configurable per deployment — Groq / OpenAI / Cerebras / your own. Always optional.

Reporting a vulnerability

Found something? Email security@campustics.com. We acknowledge within 2 business days and credit responsible disclosure in our release notes.

Technical reference: docs/SECURITY.md in our codebase.