Home/Security

Security at Acadyl

We take the security of your school's data seriously. Here's how we protect it.

Last updated: 1 July 2025

Overview

Security is foundational to everything we build at Acadyl. Educational institutions trust us with sensitive data — student records, financial information, and personal details of staff and families. We treat that responsibility with the utmost seriousness.

Our security programme is built on three principles: defence in depth, least privilege, and continuous improvement. We invest heavily in security infrastructure, conduct regular audits, and maintain a dedicated security team to monitor and respond to threats.

AES-256 Encryption
All data encrypted at rest using AES-256 and in transit via TLS 1.3.
DDoS Protection
Multi-layer DDoS mitigation with automatic traffic scrubbing.
Redundant Infrastructure
99.9% uptime SLA with multi-region failover and daily backups.
Zero-Knowledge Backups
Encrypted backups that only you can decrypt with your keys.
Role-Based Access
Granular permissions ensure users only see what they need.
24/7 Monitoring
Continuous security monitoring with automated anomaly detection.
Regular Pen Testing
Third-party penetration tests conducted at least annually.
SOC 2 Aligned
Controls aligned with SOC 2 Type II trust service criteria.

Infrastructure Security

Acadyl is hosted on enterprise-grade cloud infrastructure with physical security controls including 24/7 on-site security, biometric access, and video surveillance. Our infrastructure is distributed across multiple availability zones to ensure resilience against hardware failures and regional outages.

  • All servers run hardened operating system images with unnecessary services disabled.
  • Network segmentation isolates production systems from development and staging environments.
  • Firewalls and security groups restrict inbound and outbound traffic to only what is required.
  • Automated vulnerability scanning runs continuously against our infrastructure.
  • All infrastructure changes are reviewed and deployed through a controlled change management process.

Data Security

Your data is encrypted at every stage of its lifecycle. Data in transit is protected using TLS 1.3 with strong cipher suites. Data at rest is encrypted using AES-256. Database backups are encrypted and stored in geographically separate locations.

We perform automated daily backups with a 30-day retention period. Backups are tested regularly to ensure they can be restored successfully. In the event of data loss, our recovery time objective (RTO) is 4 hours and our recovery point objective (RPO) is 24 hours.

Customer data is logically isolated — your institution's data is never commingled with another customer's data at the application layer. Database-level isolation is enforced through strict access controls and row-level security policies.

Access Control

We enforce the principle of least privilege across all systems. Access to production systems is restricted to a small number of authorised engineers and requires multi-factor authentication (MFA). All access is logged and reviewed regularly.

  • All Acadyl employees undergo background checks before being granted access to production systems.
  • Access is provisioned on a need-to-know basis and reviewed quarterly.
  • Privileged access management (PAM) tools are used for all administrative access.
  • All access to customer data is logged with full audit trails.
  • Access is immediately revoked upon employee departure.

Within the platform, administrators can configure granular role-based access controls (RBAC) to ensure staff members only have access to the data and features relevant to their role.

Application Security

Security is integrated into our software development lifecycle (SDLC). Our engineering team follows secure coding practices and all code changes undergo peer review before deployment.

  • Static application security testing (SAST) is run on every code commit.
  • Dynamic application security testing (DAST) is performed on every release.
  • Dependencies are monitored for known vulnerabilities using automated scanning tools.
  • We protect against OWASP Top 10 vulnerabilities including SQL injection, XSS, and CSRF.
  • Rate limiting and brute-force protection are applied to all authentication endpoints.
  • Session tokens are rotated on authentication and have configurable expiry periods.

Compliance

We are committed to meeting the compliance requirements of the educational institutions we serve. Our security controls are aligned with internationally recognised frameworks and standards.

  • GDPR: We support our customers' GDPR compliance obligations as a data processor, including data processing agreements (DPAs) available on request.
  • ISO 27001: Our information security management system is aligned with ISO 27001 principles.
  • SOC 2: Our controls are aligned with SOC 2 Type II trust service criteria. A formal audit is planned for 2025.
  • Data Localisation: We offer data residency options for customers with specific data localisation requirements.

Incident Response

We maintain a documented incident response plan that is tested and updated regularly. In the event of a security incident, our response process includes:

  • Detection: Automated monitoring and alerting systems detect anomalies in real time.
  • Containment: Affected systems are isolated to prevent further damage.
  • Investigation: Our security team conducts a thorough root cause analysis.
  • Notification: Affected customers are notified within 72 hours of a confirmed breach, as required by applicable law.
  • Remediation: Vulnerabilities are patched and controls are strengthened to prevent recurrence.
  • Post-Incident Review: A detailed post-mortem is conducted and findings are shared internally.

Responsible Disclosure

We believe that working with security researchers is an important part of maintaining a secure platform. If you discover a security vulnerability in Acadyl, we encourage you to report it to us responsibly.

Scope

The following are in scope for our responsible disclosure programme:

  • The Acadyl web application (app.acadyl.com)
  • The Acadyl marketing website (acadyl.com)
  • Acadyl mobile applications (when available)
  • Acadyl public APIs

Out of Scope

The following are out of scope and should not be tested:

  • Social engineering attacks against Acadyl employees or customers
  • Physical security attacks
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning without prior written permission
  • Third-party services and infrastructure not owned by Acadyl

Reporting Guidelines

When reporting a vulnerability, please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, screenshots, or videos
  • Your contact information for follow-up

Please do not access, modify, or delete data that does not belong to you. Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it (typically 90 days).

Our Commitments

In return, we commit to:

  • Acknowledge receipt of your report within 2 business days
  • Provide an initial assessment within 5 business days
  • Keep you informed of our progress throughout the remediation process
  • Not pursue legal action against researchers who act in good faith
  • Credit researchers in our security acknowledgements (with permission)

Security Contact

To report a security vulnerability or for any security-related enquiries, please email security@acadyl.com. For sensitive disclosures, please encrypt your message using our PGP key, available on request.

For general support enquiries, please visit our Support page.