← Back to HeuriSight.com

Security & Data Protection

Our Security Commitment

HeuriSight treats student data security as our highest priority. We implement enterprise-grade security measures that meet or exceed industry standards for educational technology platforms.

Data Encryption

Encryption in Transit

• TLS 1.3: All data transmitted between users and our servers is encrypted using the latest TLS protocol
• HTTPS Only: We enforce HTTPS across all connections with HTTP Strict Transport Security (HSTS)
• Certificate Pinning: Protects against man-in-the-middle attacks

Encryption at Rest

• AES-256 Encryption: All student data stored in databases and file storage is encrypted using AES-256
• Encrypted Backups: All backup copies are encrypted with separate keys
• Key Management: Encryption keys are managed through AWS Key Management Service (KMS)

Infrastructure Security

Cloud Infrastructure

HeuriSight is hosted on enterprise-grade cloud infrastructure:

• AWS (Amazon Web Services): SOC 2 Type II compliant cloud platform
• Multi-Region Redundancy: Data backed up across multiple geographic regions
• DDoS Protection: AWS Shield protects against distributed denial of service attacks
• Web Application Firewall: Protects against common web exploits

Database Security

• Neo4j AuraDB: Managed graph database with enterprise security
• Pinecone: SOC 2 compliant vector database
• Automated Backups: Daily automated backups with 30-day retention
• Point-in-Time Recovery: Can restore data to any point in the last 30 days

Application Security

Authentication & Authorization

• Auth0: Enterprise identity management platform
• Multi-Factor Authentication (MFA): Available for all administrative users
• Single Sign-On (SSO): Integration with institutional identity providers (SAML, OAuth)
• Role-Based Access Control (RBAC): Granular permissions by user role
• Session Management: Automatic logout after inactivity, secure session tokens

Application Code Security

• Secure Development: Following OWASP Top 10 security guidelines
• Code Reviews: All code changes reviewed for security vulnerabilities
• Dependency Scanning: Automated scanning for known vulnerabilities in third-party libraries
• Input Validation: All user inputs validated and sanitized
• SQL Injection Prevention: Parameterized queries, ORM usage

Operational Security

Monitoring & Incident Response

• 24/7 Monitoring: Automated monitoring of system health and security events
• Intrusion Detection: Real-time detection of suspicious activity
• Incident Response Plan: Documented procedures for security incidents
• Breach Notification: Institutions notified within 24 hours of any confirmed breach

Access Logging & Auditing

• Comprehensive Audit Logs: All data access logged with user, timestamp, and action
• Log Retention: Audit logs retained for minimum 1 year
• Tamper-Proof Logging: Logs cannot be modified or deleted by users
• Regular Audits: Quarterly reviews of access patterns

Data Isolation & Multi-Tenancy

Each institution's data is completely isolated:

• Logical Separation: Institution data tagged and filtered at database level
• No Cross-Institution Access: Students/faculty can only access data from their own institution
• Separate Workspaces: Each institution operates in isolated environment

Compliance & Certifications

Vendor Security Assessments

All third-party vendors undergo security assessment:

• SOC 2 Type II compliance required
• Data processing agreements (DPAs) signed
• Regular vendor security reviews
• Annual re-certification requirements

Physical Security

All data is hosted in SOC 2 certified data centers with:

• 24/7 physical security and surveillance
• Biometric access controls
• Environmental controls (fire suppression, climate control)
• Redundant power and network connectivity

Data Retention & Deletion

• Active Data: Retained while institutional subscription is active
• Post-Termination: 30-day grace period for data export
• Secure Deletion: Data securely deleted within 90 days of contract end
• Backup Purging: All backup copies deleted within 90 days
• Verification: Certificate of deletion provided upon request

Reporting Security Issues

If you discover a potential security vulnerability:

Email: LokeshDani@xopol.is
Subject: "SECURITY: [Brief Description]"

We take all security reports seriously and will respond within 24 hours.

---

Last Updated: December 1, 2025
© 2025 HeuriSight by Xopolis Inc. • Virginia C-Corporation