Security & Trust

How we protect student and institutional data.

Our Security Commitment

SheraAI LMS handles sensitive educational data: student records, attendance, grades, and financial information. We take this responsibility seriously.

This page explains the technical and organizational measures we implement to protect your data. We believe security should be transparent, not a black box.

Infrastructure Security

Enterprise-grade cloud infrastructure.

Firebase & Google Cloud

SheraAI LMS runs on Firebase, which is part of Google Cloud Platform. This provides access to Google's security infrastructure, including physical security at data centers, network security, and operational security practices.

Data Centers

Google-operated data centers with 24/7 security, biometric access, and environmental controls.

Network Security

DDoS protection, intrusion detection, and firewalls at the infrastructure level.

Availability

Firebase offers 99.95% uptime SLA with automatic failover and load balancing.

Certifications

Google Cloud maintains ISO 27001, SOC 2, and other compliance certifications.

Data Encryption

Protection at rest and in transit.

Encryption in Transit

All data transmitted between the application and servers is encrypted using TLS 1.2 or higher. This includes:

  • Mobile app to Firebase backend
  • Web application to Firebase backend
  • API calls for data synchronization
  • File uploads and downloads

Encryption at Rest

Data stored in Firebase is encrypted at rest using AES-256 encryption. This applies to:

  • Firestore database
  • Cloud Storage files
  • Database backups

Key Management

Encryption keys are managed by Google Cloud KMS with automatic rotation. Keys are never stored alongside encrypted data.

Access Control

Right data to the right people.

Authentication

User authentication is handled by Firebase Authentication. Users sign in with email and password, with secure password hashing and protection against brute force attacks.

Role-Based Access

SheraAI LMS implements strict role-based access control. Each of the eight user roles (Super Admin, School Admin, Principal, Teacher, Student, Parent, Accountant, Support Staff) has specific permissions.

  • Teachers can only access their assigned classes
  • Parents can only view their own children's data
  • Accountants cannot access academic records
  • Students cannot view other students' grades

Firestore Security Rules

Access control is enforced at the database level using Firestore Security Rules. Even if the application were compromised, unauthorized data access would be blocked by the database.

Data Protection

Handling sensitive information responsibly.

Data Minimization

We collect only the data necessary for the application to function. We don't collect behavioral analytics, advertising identifiers, or data unrelated to educational management.

Data Retention

Institutions control their data retention. When an institution ends their use of SheraAI LMS, they can export all their data and request deletion from our systems.

Data Export

Administrators can export institutional data in standard formats (CSV, PDF) for backup, regulatory compliance, or migration purposes.

Student Privacy

Student data is accessible only to authorized school personnel and parents. We do not share student data with third parties, sell data, or use it for advertising.

Device Security

Protecting data on user devices.

Local Storage

For offline functionality, data is stored locally on devices. On Android and iOS, this data is stored in the application's private storage area, inaccessible to other applications.

Session Management

User sessions have configurable timeouts. Institutions can require re-authentication after periods of inactivity or when the app is reopened.

Device Loss

If a device is lost or stolen, administrators can revoke the user's authentication tokens, preventing access from the lost device. The next time the device connects, it will be logged out.

Operational Security

How we manage security internally.

Development Practices

  • Code review for all changes
  • Dependency scanning for known vulnerabilities
  • Security testing before releases
  • Separation of development and production environments

Incident Response

In the event of a security incident, we have documented procedures for containment, investigation, remediation, and notification. If an incident affects user data, affected institutions will be notified promptly.

Security Contact

To report a security vulnerability, please email security@shera-ai.com. We take all reports seriously and will respond within 48 hours.

Compliance

Meeting regulatory requirements.

Data Protection

SheraAI LMS is designed to help institutions meet their data protection obligations. While specific compliance requirements vary by jurisdiction, our security measures align with common requirements:

  • Data encryption in transit and at rest
  • Access controls and audit logging
  • Data export and deletion capabilities
  • Consent management for student data

Privacy Policy

Our Privacy Policy details what data we collect, how we use it, and user rights regarding their data.

Questions

We're here to help.

If you have questions about our security practices or need additional information for your institution's security review, please contact us.

Contact Us Privacy Policy