Security
Last updated: June 2026
Security Overview
MyAbhyaash implements comprehensive security measures to protect student and institutional data. Security is not a feature—it is foundational to everything we build.
Encryption & Transmission Security
- HTTPS/TLS 1.2+: All data in transit is encrypted using industry-standard TLS 1.2 or higher
- End-to-End: Secure from your device to our servers and back
- Certificate Pinning: Mobile apps use certificate pinning to prevent man-in-the-middle attacks
- HSTS: HTTP Strict Transport Security enforced to prevent protocol downgrade
Password & Authentication Security
- Password Hashing: All passwords are hashed using bcrypt with salt rounds ≥12
- Never Stored in Plain Text: Passwords are never stored, logged, or transmitted in plain text
- Session Tokens: JWT-based with 15-minute expiry and 30-day refresh token rotation
- Device Fingerprinting: Each device is assigned a unique ID to prevent unauthorized access
Database Security
- Encrypted at Rest: PostgreSQL database encrypted using AWS KMS
- VPC Isolation: Database runs in private VPC subnet with no public access
- Access Control: Database access limited to authorized application servers only
- Regular Backups: Automated daily backups encrypted and stored separately
- SQL Injection Prevention: Parameterized queries and ORM prevent SQL injection attacks
Application Security
OWASP Top 10 Compliance
- XSS Prevention: Input sanitization and output encoding
- CSRF Protection: CSRF tokens on all state-changing requests
- Authentication: Secure session management with re-authentication on sensitive operations
- Authorization: Role-based access control (RBAC) enforced at API and database levels
- Sensitive Data: No sensitive data in logs, URLs, or error messages
- Dependency Management: Regular security updates for all packages
Infrastructure Security
- AWS Security: Leverages AWS security best practices including Security Groups, NACLs, and IAM
- DDoS Protection: CloudFront and AWS Shield protect against DDoS attacks
- WAF: AWS WAF rules prevent common web attacks
- Monitoring: CloudWatch and automated alerts for suspicious activity
- Incident Response: Documented incident response procedures and escalation paths
Access Control & Permissions
- Role-Based Access: STUDENT, COLLEGE_ADMIN, SUPER_ADMIN roles with granular permissions
- Data Isolation: Students see only their own data. College admins see only their college's data
- API Authorization: Every API endpoint validates permissions before returning data
- Audit Logging: All administrative actions logged with timestamp, user, and changes
Third-Party Security
- Firebase: Google-managed FCM service with SOC 2 Type II compliance
- AWS: AWS services undergo regular SOC 2 audits
- Third-Party Dependencies: Regular vulnerability scanning using tools like Dependabot
- No Unnecessary Integrations: Minimal third-party integrations to reduce attack surface
Compliance & Standards
- Government of Nepal Registration: Officially registered company (Reg. No. 393523/82/83)
- Data Protection: Compliance with Nepal's privacy and data protection frameworks
- Educational Data: Follows best practices for student data protection
- Export Controls: No data transfers outside Nepal without explicit institutional consent
Vulnerability Management
- Regular Security Audits: Quarterly security assessments and penetration testing
- Dependency Scanning: Automated scanning for known vulnerabilities
- Bug Bounty: We welcome responsible disclosure. Contact: support@myabhyaash.com
- Patch Management: Security patches deployed within 24 hours of discovery
Data Retention & Deletion
- Active Data: Retained during subscription period
- Post-Subscription: Retained for 90 days, then deleted
- Student Deletion Requests: Processed within 30 days; data permanently purged
- Backup Deletion: Backup data deleted after 30 days
Security Incident Response
In the unlikely event of a security breach:
- We will notify affected users and institutions immediately
- We will disclose the nature and scope of the breach
- We will take steps to prevent recurrence
- Full incident report will be provided to institutional leaders
Security Contact
For security concerns, vulnerabilities, or to report suspicious activity:
Email: support@myabhyaash.com
Response Time: We aim to respond to all security reports within 24 hours