Security Policy

Our Commitment to Security

Tutionwale, owned and operated by Sentriqo IT Solutions Private Limited, handles sensitive information including student records, biometric attendance data, financial transactions, and personal details of tuition centres, students, and parents.

In compliance with Section 43A of the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023, we implement and maintain reasonable security practices and procedures commensurate with the sensitivity of the data we process.

Infrastructure Security

Application Security

• Authentication & Session Management: Secure session handling with CSRF protection on all forms. Passwords are hashed using bcrypt (irreversible). Session tokens are rotated on login and regenerated periodically.
• Role-Based Access Control (RBAC): Strict access controls ensure users can only access data relevant to their role — SuperAdmin, Tuition Admin, Teacher, Student, or Parent. Each role has defined permissions enforced at the application layer.
• Multi-Tenant Data Isolation: Each tuition centre operates in a logically isolated environment. Strict tenant scoping at the database query layer ensures that no centre can access another centre's data under any circumstance.
• Input Validation & Sanitisation: All user inputs are validated server-side using Laravel's validation framework. Outputs are escaped to prevent Cross-Site Scripting (XSS). Parameterised queries prevent SQL Injection. Content Security Policy (CSP) headers are enforced.
• API Security: API endpoints are protected with token-based authentication (Laravel Sanctum), rate limiting, and request throttling to prevent abuse and brute-force attacks.
• Dependency Management: Third-party packages are regularly audited for known vulnerabilities using automated security scanning tools.

Payment Security

• All payment processing is handled by RBI-authorised payment gateways (e.g., Razorpay) that are PCI DSS Level 1 compliant
• We never store credit card numbers, debit card numbers, CVV, or UPI PINs on our servers
• Payment data is tokenised and processed through encrypted channels directly between the user's browser and the payment gateway
• Webhook signatures are verified using HMAC-SHA256 to prevent tampering
• All transaction records are maintained in compliance with RBI guidelines and the Payment and Settlement Systems Act, 2007

Data Privacy & Protection Practices

• Encryption at Rest: Sensitive data fields are encrypted using AES-256 in the database. Passwords are stored using bcrypt hashing (one-way, irreversible).
• Principle of Least Privilege: Access to production systems, databases, and infrastructure is restricted to authorised personnel on a need-to-know basis.
• Access Logging & Monitoring: All access to sensitive data and administrative actions are logged with timestamps, IP addresses, and user identifiers. Logs are retained for audit purposes.
• Employee Security: All employees and contractors with access to production data are bound by confidentiality agreements. Access is revoked immediately upon departure.
• Secure Data Deletion: When accounts are terminated, data is securely erased in accordance with our retention policy and applicable regulations.
• Data Localisation: All primary data processing and storage occurs within India, in compliance with the DPDP Act, 2023 and RBI data localisation directives.

Biometric Data Security

For tuition centres using biometric attendance devices:

• Biometric templates (fingerprint identifiers) are stored on the hardware device and not transmitted or stored in our cloud databases
• Only attendance event metadata (student ID, timestamp, punch type) is transmitted to our servers
• Device-to-server communication is authenticated using API keys and device registration tokens
• This approach is aligned with the DPDP Act, 2023 provisions on processing of sensitive personal data

Incident Response

In compliance with CERT-In (Indian Computer Emergency Response Team) directives and the DPDP Act, 2023:

• Security incidents are reported to CERT-In within 6 hours of discovery, as mandated by CERT-In Directions (April 2022)
• Affected Data Principals (users) are notified within 72 hours of a confirmed personal data breach, as required under the DPDP Act, 2023
• The Data Protection Board of India is notified of significant breaches as per statutory requirements
• Root cause analysis is conducted, documented, and corrective measures are implemented immediately
• A post-incident report is prepared and shared with affected parties upon request

Security Audits & Compliance

• Regular vulnerability assessments and penetration testing are conducted
• Code reviews are performed for all changes to production systems
• Our security practices are aligned with:
  • Information Technology Act, 2000 (Section 43A)
  • SPDI Rules, 2011
  • Digital Personal Data Protection Act, 2023
  • CERT-In Cyber Security Directions, 2022
  • RBI Guidelines on Information Security
  • OWASP Top 10 best practices

Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability in our Platform, please report it to:

We request that you:

• Do not exploit the vulnerability or access data belonging to other users
• Provide sufficient detail to reproduce the issue
• Allow reasonable time for assessment and remediation before public disclosure

We acknowledge and appreciate security researchers who help us maintain a secure platform. Validated reports will be acknowledged, and we will work with reporters to address confirmed vulnerabilities promptly.

Contact Information

For questions about our security practices or to report a concern: