Encryption
- In Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
- At Rest: Data stored in our database and file storage is encrypted at rest using industry-standard encryption provided by our cloud infrastructure.
Access Controls
- Role-Based Permissions: Users only see data relevant to their role. Staff see students within their school. Students see only their own data. Administrators manage their school's configuration.
- Session Management: Sessions expire after 24 hours of inactivity. Session cookies are HTTP-only and secure (HTTPS-only in production).
- Rate Limiting: Login attempts and sensitive actions are rate-limited to prevent brute-force attacks.
Authentication
- Single Sign-On (SSO): Schools can authenticate staff and students through Google, Microsoft, or ClassLink SSO, reducing the need for separate passwords.
- Password Security: All passwords are hashed using industry-standard algorithms. We never store passwords in plain text.
- Minimal Student Passwords: When SSO is used, students do not need a Kudos4Kids password at all. Schools control which authentication method is used.
Infrastructure & Hosting
- Cloud Hosting: Kudos4Kids is hosted on Microsoft Azure, a SOC 2 and ISO 27001 certified cloud platform.
- Database: Student and school data is stored in Azure SQL Database with built-in threat detection, automated backups, and geo-redundant storage.
- File Storage: Uploaded files (such as profile images) are stored in Azure Blob Storage with encryption at rest.
Backup & Recovery
- Automated database backups run on a regular schedule
- Backups are stored in geo-redundant storage for disaster recovery
- Recovery procedures are in place to restore service in the event of an outage
Security Headers & Browser Protections
In production, Kudos4Kids enforces the following browser security protections:
- HTTPS redirect and HSTS with 1-year duration
- Content-Type sniffing protection
- XSS filter protection
- Clickjacking protection (X-Frame-Options: DENY)
- CSRF protection on all forms
- Strict referrer policy
Data Breach Response
In the event of a data breach involving personal information, we will:
- Notify affected schools within 72 hours
- Provide details about the breach and our response
- Comply with all applicable data breach notification laws