Security and Data Protection

The security of data for students, teachers, and educational establishments is an absolute priority for Scolaro. This page describes the technical and organizational measures we implement to protect your information.

For more information on privacy protection and our compliance with Law 25, consult our dedicated page: Privacy Protection and Law 25 Compliance.

Security is an ongoing process, not a final state. We constantly improve our practices to respond to emerging threats and industry best practices.

1. Secure Architecture and Infrastructure

1.1 Hosting and Cloud Infrastructure

  • Scolaro uses Google Cloud Platform (GCP) and Firebase to host its services, an infrastructure recognized for its security and compliance with international standards.
  • Data is stored in data centers located primarily in North America, with guarantees for availability and redundancy.
  • The infrastructure benefits from security certifications including ISO 27001, SOC 2, and other recognized standards.
  • Automatic and regular backups are performed to allow recovery in case of an incident.

1.2 Data Encryption

  • Encryption in Transit: All communications between your browser and our servers use TLS 1.2 or higher (HTTPS). No data is transmitted in plain text.
  • Encryption at Rest: Data stored in our databases is encrypted using encryption-at-rest mechanisms provided by the cloud infrastructure.
  • Encryption keys are managed securely and are never exposed in code or accessible configurations.

1.3 Access Control and Authentication

  • User authentication uses Firebase Authentication, which implements secure practices for password and session management.
  • Passwords are stored as cryptographic hashes (they cannot be recovered in plain text).
  • Protection mechanisms against brute force attacks are in place.
  • Access to data is controlled by Firestore security rules which ensure that each user can only access data they are authorized to see.

2. Application Security

2.1 Secure Development

  • Scolaro's code follows secure development practices, including user input validation and protection against common vulnerabilities (injection, XSS, CSRF, etc.).
  • Software dependencies are regularly updated to fix known security flaws.
  • Code reviews are performed to identify and correct potential security issues.

2.2 Session and Token Management

  • User sessions are managed securely with time-limited authentication tokens.
  • Tokens are invalidated upon logout or after a period of inactivity.
  • Protection mechanisms against session theft are implemented.

2.3 Protection Against Attacks

  • Rate limiting mechanisms are in place to prevent abuse and denial-of-service attacks.
  • Filters and validations prevent the injection of malicious code or unauthorized data.
  • HTTP security headers are configured to reduce risks of injection or clickjacking attacks.

3. Data Access Control

3.1 Principle of Least Privilege

  • Each user only has access to data strictly necessary for their role:
    • Students see only their own work, results, and class information.
    • Teachers access only data for their groups and students.
    • School Administrators have access to data for their establishment only.
    • Scolaro Administrators have limited access, only for technical support and maintenance.
  • These restrictions are applied at both the application level and the database level.

3.2 Logging and Auditing

  • Access to sensitive data is logged to allow detection of suspicious activities.
  • Audit logs are kept to meet traceability and compliance requirements.
  • Logs are analyzed regularly to identify anomalies or unauthorized access attempts.

3.3 Identity and Role Management

  • User roles are assigned in a controlled and verified manner.
  • Changes to roles or permissions are traced and require appropriate authorization.
  • Inactive or disabled accounts automatically lose their access.

4. Protection Against Security Incidents

4.1 Monitoring and Detection

  • Automated monitoring systems detect suspicious activities or anomalies in platform usage.
  • Alerts are configured to notify the technical team in case a security problem is detected.
  • Monitoring tools track infrastructure health and security in real time.

4.2 Incident Response Plan

  • Scolaro has a security incident response plan that defines procedures to follow in case of a data breach or attack.
  • In case of an incident affecting personal data, users and establishments concerned will be notified within the timeframes required by law.
  • Corrective measures will be taken immediately to limit impact and prevent future similar incidents.

4.3 Security Testing

  • Regular security tests are performed to identify and correct vulnerabilities.
  • Security audits may be performed by independent third parties when necessary.
  • Identified security flaws are corrected according to a prioritized vulnerability management process.

5. Protection of Personal Data

5.1 Data Minimization

  • We collect only data necessary for the pedagogical functioning of the platform.
  • Data is kept only for the duration necessary for the purposes for which it was collected.
  • Obsolete or unnecessary data is deleted or anonymized regularly.

5.2 Integrity and Availability

  • Backup mechanisms ensure that data can be restored in case of accidental loss.
  • Integrity controls allow detection of any unauthorized alteration of data.
  • Service availability is ensured by a redundant infrastructure and automatic failover mechanisms.

5.3 Data Transfer

  • When data is transferred to third-party service providers (for example, for AI features), contractual and technical guarantees are in place to ensure its security.
  • Data transfers outside Quebec are performed in accordance with Law 25 requirements and with appropriate guarantees.
  • Data is anonymized or minimized before any transfer whenever possible.

6. Compliance and Certifications

6.1 Legal Compliance

  • Scolaro respects the requirements of Law 25 (Quebec) regarding personal information protection. For more details on our Law 25 compliance, consult our dedicated page: Privacy Protection and Law 25 Compliance.
  • We also comply with major Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Privacy impact assessments are performed for new projects or features.

6.2 Industry Best Practices

  • We follow recognized industry security best practices, notably those recommended by OWASP (Open Web Application Security Project).
  • Our practices are aligned with security standards for educational applications.
  • We stay up to date with evolving security threats and adapt our measures accordingly.

7. Shared Responsibilities

7.1 Scolaro's Responsibilities

  • Maintain the security of the infrastructure and platform.
  • Protect data stored in our systems.
  • Inform users in case of a security incident affecting their data.
  • Provide tools and mechanisms allowing users to manage their data securely.

7.2 User's Responsibilities

  • Use strong and unique passwords for their Scolaro account.
  • Do not share their login credentials with others.
  • Log out of their session when using a shared computer.
  • Immediately report any unauthorized access or suspicious activity to the Scolaro team.
  • Respect their educational establishment's security policies.

7.3 Educational Establishment's Responsibilities

  • Manage teacher and student access appropriately.
  • Inform users of applicable security policies.
  • Collaborate with Scolaro in case of a security incident.
  • Respect their legal obligations regarding the protection of students' personal information.

8. Reporting Security Issues

If you discover a security vulnerability or suspect a security issue in Scolaro, we encourage you to report it to us responsibly.

Reporting Vulnerabilities

Please use the contact form and specify "Security" in the subject line. We ask you to:

  • do not exploit the vulnerability beyond what is necessary to demonstrate it;
  • do not access data that does not belong to you;
  • do not modify or delete data;
  • give us a reasonable timeframe to correct the problem before disclosing it publicly.

We commit to quickly reviewing any report and keeping you informed of the progression of the fix.

9. Updates and Evolution

This security page is updated regularly to reflect the evolution of our practices and infrastructure. We recommend consulting it periodically to stay informed of the security measures in place.

Important modifications made to our security practices will be communicated to users when appropriate and required by law.

For any questions regarding Scolaro security, you can contact us via the contact form.