Data Protection
- Encryption in transit: TLS 1.2+ for all public endpoints; HSTS and modern ciphers.
- Encryption at rest: AES-256 for databases and backups.
- Secrets management: environment-scoped secrets; no secrets in code or logs.
- Tenant isolation: PostgreSQL multi-tenant with tenant-ID scoping at the service & data layer.
Access Controls
- RBAC: role-based access (Admin/Faculty/Student/Parent) with least privilege.
- MFA for internal access: enforced on admin & operator accounts.
- Audit trails: immutable logs for sensitive actions (attendance overrides, fee updates, etc.).
Application Security
- Secure SDLC with code reviews, dependency scanning, and CI checks.
- Input validation & output encoding; CSRF protection; rate-limits on auth & sensitive endpoints.
- Regular 3rd-party library updates; security headers (see below).
Reliability & Backups
- RPO: ≤ 15 minutes; RTO: ≤ 2 hours for critical services.
- Automated daily backups with point-in-time recovery; geo-redundant copies.
- Health checks & uptime monitoring across Web, API, Notifications.
Compliance Posture
- Privacy-by-design aligned with India DPDP Act principles.
- DPA (Data Processing Addendum) available on request for institutions.
- Parent/guardian contact handling with opt-in for messaging (DLT/SMS compliant configuration).
Data Retention
- Operational logs: 90 days (default). Backups: 30 days rolling.
- Account data retained for contract term; deletion/export available upon authorized request.
Responsible Disclosure
If you believe you’ve found a security issue, email
contact@multieconenterprise.com with details and steps to reproduce. Please avoid accessing data that isn’t yours, and give us reasonable time to fix before public disclosure.
Sub-processors
We use select infrastructure and communications providers (e.g., hosting, SMS) under strict DPAs. A current list is available on request.
Questions? Contact contact@multieconenterprise.com.