Information Security Programme
Our security programme is aligned with ISO/IEC 27001, ISO/IEC 27701, and OWASP Top 10 โ using enterprise-grade free-tier tools.
๐ Authentication
- Minimum 8-character passwords enforced
- Password complexity validation
- HaveIBeenPwned leaked-password check
- Multi-factor authentication (TOTP)
- JWT sessions with 1-hour expiry
- Refresh token rotation
๐ Encryption
- AES-256 encryption at rest (Supabase)
- TLS 1.3 in transit (Cloudflare)
- No plaintext data transmission
- HTTPS enforced, HTTP redirected
- PDF exports client-side only (never transmitted)
๐งฑ Access Control
- Row-Level Security on every table
- Cross-school data isolation enforced at DB level
- 4 roles: Admin / Principal / Teacher / Secretary
- All access saved to audit logs
- Privileged accounts strictly controlled
OWASP Top 10 Mitigations
${[
['A01','Broken Access Control','Supabase RLS on every table โ enforced at database level, not just application layer.'],
['A02','Cryptographic Failures','TLS 1.3 in transit (Cloudflare). AES-256 at rest (Supabase). No cleartext secrets in frontend.'],
['A03','Injection','Supabase JS client uses parameterised queries exclusively. No raw SQL from user input.'],
['A04','Insecure Design','Multi-tenant isolation built into schema. Security by design, not afterthought.'],
['A05','Security Misconfiguration','Cloudflare Pages enforces HTTPS. Supabase anon key scoped to minimum permissions.'],
['A06','Vulnerable Components','CDN-pinned library versions. Dependabot alerts on GitHub repository.'],
['A07','Auth Failures','Supabase Auth + MFA + HaveIBeenPwned. Account lockout after failed attempts.'],
['A08','Software & Data Integrity','Cloudflare Pages deployment pipeline. Signed deployments via GitHub Actions.'],
['A09','Security Logging','Supabase audit logs + application-level event logging for all data mutations.'],
['A10','SSRF','No server-side URL fetching. All API calls client-side to authenticated Supabase endpoints.'],
].map(([num,title,desc]) => `
${num}
`).join('')}
${title}
${desc}
๐ฅ๏ธ Endpoint Controls
We provide all SchoolDesk admin users with device security guidance as part of onboarding:
- Device passwords/PINs on school computers
- Windows Defender / macOS built-in AV
- School email accounts (not personal) for admin
- MFA enabled on all SchoolDesk accounts
- Screen lock when unattended
๐ Vulnerability Management
- OWASP ZAP scans before each major release
- GitHub Dependabot for dependency alerts
- Cloudflare security advisories monitored
- Supabase CVE alerts subscribed
- Manual penetration testing per major version
- Findings documented and remediated within SLA
Hosting & Data
We use the same cloud infrastructure as global enterprise platforms โ Cloudflare and Supabase โ available on free and low-cost tiers.
โ๏ธ Hosting Providers
| Layer | Provider | Standard |
|---|---|---|
| CDN / Frontend | Cloudflare Pages | SOC 2, ISO 27001 |
| Database | Supabase (PostgreSQL) | SOC 2 Type II |
| WAF / DDoS | Cloudflare | PCI DSS, ISO 27001 |
| SSL/TLS | Cloudflare | TLS 1.3, HSTS |
๐ Geographic Regions
Learner data is hosted in:
- Supabase: EU West (Ireland) โ GDPR default
- Cloudflare CDN: Johannesburg (ZA) + global PoPs
- Data served from nearest node โ low latency SA
We endeavour to host client data within their region. Cross-border transfers are protected by TLS encryption and SOC 2-compliant providers.
๐ Change Management
- All changes deployed via GitHub Actions CI/CD pipeline
- No direct production changes without code review
- Emergency changes follow fast-track process with post-review
- Full deployment history retained in Cloudflare Pages
- Instant rollback available to any previous deployment
๐๏ธ Data Retention on Termination
- 30-day data export window after cancellation
- Full CSV + PDF export of all learner records
- Live data deleted within 30 days of termination
- Encrypted backups retained 90 days then destroyed
- Re-engagement within 90 days: data restored
Resilience & Recovery
We target enterprise-grade availability using free-tier infrastructure โ Cloudflare's 99.99% uptime and Supabase's 99.9% SLA.
4h
Recovery Time Objective
24h
Recovery Point Objective
99.9%
Uptime Target
7 days
Backup Retention
๐พ Backup Schedule
- Daily automated DB snapshot (Supabase)
- 7-day backup retention (free tier)
- Continuous code backup (GitHub)
- Versioned frontend deployments (Cloudflare)
- Upgrade path: 30-day PITR on Supabase Pro
๐ก Monitoring
- UptimeRobot 5-min checks (free)
- Instant email + SMS alert on downtime
- Cloudflare analytics โ traffic anomalies
- Supabase dashboard โ DB performance
- Public status page (planned v1.1)
๐ข Office & Physical
- JLR Dev operates cloud-first โ no critical data on-premises
- All systems accessible remotely
- Local device encrypted (BitLocker/FileVault)
- OneDrive geo-redundant sync for local backups
Upgrade Path (as revenue grows)
| Priority | Upgrade | Cost | Unlocks |
|---|---|---|---|
| 1 | Supabase Pro | $25/mo | 30-day PITR, 8GB DB, daily backups ร 30 |
| 2 | Cloudflare Pro | $20/mo | Advanced WAF, bot management, 5-min cache purge |
| 3 | UptimeRobot Pro | $7/mo | 1-min checks, public status page |
| 4 | ISO 27001 Audit | Once-off | Formal certification (50+ schools scale) |
Incident Response
We follow a structured process aligned with POPIA's 72-hour breach notification requirement and ISO 27001 A.16 incident management.
โก Severity Levels
| Level | Definition | Response |
|---|---|---|
| P1 | Data breach / service down | 1 hour |
| P2 | Partial outage / security vuln | 4 hours |
| P3 | Feature failure, no data risk | Next business day |
| P4 | Minor UI bug | Next sprint |
โ๏ธ POPIA Breach Notification
POPIA requires breach notification to the Information Regulator within 72 hours of confirmation.
- Affected schools notified within 24 hours
- Information Regulator notified within 72 hours
- Post-incident report within 48 hours of resolution
- Forensic analysis conducted
- Controls updated to prevent recurrence
Response Process
${[
['Identify','Incident identified via UptimeRobot alert, user report, or automated monitoring.'],
['Investigate','Scope assessed using Supabase audit logs, Cloudflare analytics, and application logs.'],
['Contain','Compromised accounts disabled, affected data access revoked, threat isolated.'],
['Recover','Systems, data, and connectivity restored from backup or rollback.'],
['Deep-dive','Determine whether a genuine breach occurred or a false alarm. Classify severity.'],
['Notify','If positive: notify affected schools, Information Regulator, and if required โ law enforcement.'],
['Post-incident','Full post-incident review, forensic analysis, and report published to affected parties.'],
['Update','Processes, controls, and code updated to eliminate recurrence.'],
].map(([title, desc], i) => `
`).join('')}
${i+1}
${title}
${desc}
Compliance
SchoolDesk handles children's personal information โ the highest protection category under POPIA. We take this seriously.
โ๏ธ POPIA (Act 4 of 2013)
- Full accountability โ JLR Dev as Responsible Party
- Children's data (s35) โ school obtains parental consent
- Purpose limitation โ school admin only, no third-party use
- Data quality โ school admin responsible for accuracy
- Security safeguards โ see Security section
- Data subject rights โ access, correct, delete
๐ช๐บ GDPR (2016/679)
- Lawful basis: legitimate interest (school admin)
- Data minimisation โ only necessary fields collected
- EU hosting available (Supabase Ireland)
- Data Processing Agreement available on request
- 72-hour breach notification
- Right to erasure honoured
๐ซ SA Schools Act (84/1996)
- Learner records retained minimum 5 years
- CAPS-aligned grading (Gr 1โ7)
- Support for SA-SAMS export (v1.1 roadmap)
- Promotion decisions documented and auditable
- Report cards meet DBE format requirements
๐ค Information Officer
For the purposes of POPIA, the Information Officer responsible for SchoolDesk data processing is:
Jan-Louis Reynders โ JLR Dev / La Dolce Vita Trust
๐ง jan-louis@jlrdev.co.za ยท ๐ 082 852 5108 ยท Bloemfontein, Vrystaat, Suid-Afrika
๐ง jan-louis@jlrdev.co.za ยท ๐ 082 852 5108 ยท Bloemfontein, Vrystaat, Suid-Afrika
๐๏ธ Information Regulator of South Africa
You have the right to lodge a complaint with the Information Regulator:
๐ง POPIAComplaints@inforegulator.org.za
๐ www.inforegulator.org.za
๐ฌ P.O. Box 31533, Braamfontein, Johannesburg, 2017
๐ข JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
๐ www.inforegulator.org.za
๐ฌ P.O. Box 31533, Braamfontein, Johannesburg, 2017
๐ข JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001