Enterprise-Grade Security, Built In
Student and institution data is at the core of what we protect. Here's how we keep it safe from infrastructure to application layer.
SOC 2 Type II
Annual audit by independent auditors verifying our security, availability, and confidentiality controls.
ISO 27001
Information security management system certified to international standard.
GDPR Compliant
Full compliance with EU General Data Protection Regulation for European data subjects.
CERT-In Compliant
Compliant with Indian Computer Emergency Response Team (CERT-In) cybersecurity guidelines.
Data Encryption
- TLS 1.3 encryption for all data in transit
- AES-256-GCM encryption for all data at rest
- Database-level encryption at AWS RDS layer
- Encrypted backups stored in separate AWS region
- Key management via AWS KMS with automatic rotation
Infrastructure Security
- AWS Mumbai region for all Indian customer data
- VPC isolation with private subnets for databases
- Web Application Firewall (WAF) on all endpoints
- DDoS protection via AWS Shield Advanced
- Automated vulnerability scanning of all dependencies
- Immutable infrastructure no manual server access
Access Controls
- Role-based access control (RBAC) for all staff
- Mandatory multi-factor authentication for all accounts
- Zero-trust network architecture
- Privileged access management with audit logs
- Quarterly access reviews and permission cleanup
- Offboarding checklist with immediate access revocation
Application Security
- OWASP Top 10 mitigations in all application code
- Annual third-party penetration testing
- Static and dynamic application security testing (SAST/DAST)
- Dependency vulnerability scanning in CI/CD pipeline
- Security code reviews for all new features
- Bug bounty program for responsible disclosure
99.9%
Uptime SLA (Enterprise)
72h
Breach notification window
<5min
Mean time to detect (MTTD)
Incident Response
We maintain a formal incident response plan tested quarterly. In the event of a security incident:
- Our security team is alerted automatically within minutes via 24/7 monitoring
- Affected systems are isolated within 15 minutes
- Affected Data Controllers (institutions) are notified within 72 hours if personal data is involved
- A public post-mortem is published for any incidents affecting availability
- Root cause analysis and remediation completed within 30 days
Responsible Disclosure Program
We welcome security researchers to responsibly disclose vulnerabilities. If you discover a security issue:
- Email info@zenvrix.com with details of the vulnerability
- Include steps to reproduce, impact assessment, and your contact information
- We acknowledge reports within 2 business days
- We resolve critical issues within 72 hours, high severity within 7 days
- We provide credit in our security acknowledgments page for valid reports
Please do not publicly disclose vulnerabilities until we have had 90 days to investigate and remediate.
Security Questions?
For security inquiries, vulnerability reports, or to request our full security documentation for enterprise due diligence:
info@zenvrix.com