Relearns

Trust

Security & privacy

School-owned data, role-symmetric access, and an audit trail trustees can sign off on.

Data residency · India

All Indian school data is hosted in India (ap-south-1). No PII crosses provider boundaries. Each school is namespaced by tenant — cross-tenant queries are physically prevented at the storage layer.

Role-based access

Principal · Teacher · Student · Parent. A capability matrix governs every action. Teachers see their own class; parents see only their child. The same matrix is exposed inside the product so schools can audit it any time.

Multi-factor auth

TOTP authenticator apps (Google Authenticator, 1Password, Authy) and email OTP. Required on every role switch. Recovery codes issued at first enrollment.

Encryption everywhere

AES-256 at rest. TLS 1.2+ in transit. Keys held in HSM-backed storage. Backups are encrypted with the same primitive.

Daily backups + quarterly drills

Encrypted daily backups in Cloudflare R2 · ap-south-1; retention follows the customer agreement. We restore from a fresh backup every quarter — the last restore drill date is visible inside the product.

Tamper-evident audit log

Every administrative action (login, sign-off, fee structure edit, MFA toggle) is captured with actor, action, target and timestamp. Exportable in 90-day windows.

AI transparency

Schools and trustees worry — rightly — about AI hallucination and PII leakage. We treat AI as a draftsman, never the source of truth.

  • AI calls are anonymised — the model never sees student PII.
  • Every AI-touched content version is recorded: AI-generated → AI-refined → teacher-edited.
  • Teachers can edit any AI output before it reaches students. We surface the override rate to the principal.
  • Guardrails (will / won’t do) are visible to the school and to every student using the tutor.

Inside the product

Every school's principal can open a Security & privacy settings page showing the live MFA state, the full RBAC matrix, last-backup timestamp, and the 90-day audit log.

Back to home →

Responsible disclosure

Found a vulnerability? Email us — we triage within one business day, fix critical issues within 72 hours, and publicly acknowledge researchers who report responsibly.

support@relearns.in

For school IT review

We send a single PDF on day one — SOC 2 mapping, the live RBAC matrix, backup proof, DPO contact, and the AI-transparency pack. No back-and-forth, no NDA gymnastics.

Request the security pack →