Security & Data Protection

Our Commitment to Security

At Zvikoro, we understand that schools entrust us with their most valuable information—student data, staff records, and institutional information. We take this responsibility seriously and have implemented comprehensive security measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

Our security practices comply with the Data Protection Act [Chapter 11:12] of Zimbabwe, the Cyber and Data Protection Act, and international best practices for educational technology platforms.

Data Protection Architecture

Multi-Tenant Isolation

Every school's data is completely isolated from other institutions. Our multi-tenant architecture ensures:

• Each school's data is stored in logically separated environments
• No cross-school data access is possible
• Complete privacy between different educational institutions
• Independent security controls for each school

Data Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols
• At Rest: All data stored in our databases is encrypted using advanced encryption algorithms
• Backups: All backup data is encrypted before storage

Access Controls

• Role-based access control (RBAC) with 10 predefined permission levels
• Each user can only access information relevant to their role
• Administrative functions restricted to authorized personnel only
• Student data access limited to school staff and authorized guardians
• Multi-factor authentication available for enhanced security

Infrastructure Security

Secure Hosting

• Servers hosted in secure, certified data centers
• Physical security measures including surveillance and access controls
• 24/7 monitoring for suspicious activity
• Redundant power and network connections
• Regular security patches and updates

Network Security

• Firewall protection at multiple network layers
• Intrusion detection and prevention systems
• DDoS protection to ensure service availability
• Regular security scans and vulnerability assessments
• Secure API endpoints with authentication

Application Security

• Secure authentication and session management
• Protection against common web vulnerabilities (SQL injection, XSS, CSRF)
• Input validation and sanitization
• Secure password storage using industry-standard hashing
• Regular security code reviews

Data Backup and Recovery

Backup Strategy

• Automated daily backups of all data
• Multiple backup copies stored in geographically separate locations
• Regular testing of backup restoration procedures
• Point-in-time recovery capabilities
• Encrypted backup storage

Disaster Recovery

• Comprehensive disaster recovery plan
• Regular disaster recovery drills
• Redundant systems to minimize downtime
• Clear recovery time objectives (RTO) and recovery point objectives (RPO)
• Business continuity procedures

Compliance and Certifications

Legal Compliance

We comply with all applicable Zimbabwean laws and regulations, including:

• Data Protection Act [Chapter 11:12]: Compliance with data protection requirements
• Cyber and Data Protection Act: Adherence to cyber security standards
• Access to Information and Protection of Privacy Act [Chapter 10:27]: Protection of personal information
• Children's Act [Chapter 5:06]: Special protections for minors' information
• Education Act [Chapter 25:04]: Compliance with educational regulations

International Standards

Our security practices align with international standards:

• ISO 27001 information security principles
• GDPR-inspired data protection practices
• FERPA-aligned educational data protection (US Family Educational Rights and Privacy Act)
• COPPA principles for children's online privacy protection

Monitoring and Auditing

Activity Logging

• Comprehensive logging of all system access and activities
• User authentication and authorization events logged
• Data access and modification tracked
• Administrative actions recorded with timestamps
• Logs retained for audit and compliance purposes

Security Monitoring

• 24/7 security monitoring and threat detection
• Automated alerts for suspicious activities
• Real-time intrusion detection
• Regular security audits and assessments
• Incident response procedures in place

Third-Party Audits

• Regular independent security assessments
• Vulnerability scanning and penetration testing
• Compliance audits
• Continuous improvement based on audit findings

Personnel Security

Staff Training

• All staff undergo security awareness training
• Regular updates on security best practices
• Data protection and privacy training
• Incident response training

Access Management

• Background checks for personnel with data access
• Principle of least privilege—access only to necessary data
• Regular review and revocation of access rights
• Secure processes for employee onboarding and offboarding

Confidentiality

• All staff sign confidentiality agreements
• Clear policies on data handling and privacy
• Strict protocols for handling sensitive information

Incident Response

Security Incident Procedures

In the event of a security incident, we have established procedures to:

• Detect and contain the incident quickly
• Assess the scope and impact
• Notify affected parties as required by law
• Investigate root causes
• Implement corrective measures
• Document lessons learned

Breach Notification

In the unlikely event of a data breach affecting your information, we will:

• Notify affected schools and users within 72 hours of discovery
• Inform relevant authorities as required by law
• Provide clear information about the breach and steps being taken
• Offer guidance on protective measures
• Take immediate action to prevent further unauthorized access

Your Role in Security

Security is a shared responsibility. You can help protect your data by:

Best Practices

• Strong Passwords: Use complex passwords with letters, numbers, and symbols
• Password Uniqueness: Don't reuse passwords across different services
• Regular Updates: Change passwords periodically
• Secure Devices: Keep your devices updated with latest security patches
• Phishing Awareness: Be cautious of suspicious emails and links
• Secure Connections: Only access the platform from secure networks
• Logout: Always log out when finished, especially on shared devices
• Report Issues: Immediately report any suspicious activity

Account Security

• Never share your login credentials with anyone
• Review your account activity regularly
• Report unauthorized access immediately
• Keep your contact information up to date
• Enable multi-factor authentication if available

Data Retention and Deletion

Retention Periods

We retain data in accordance with Zimbabwean educational regulations:

• Student academic records: Minimum 7 years after graduation/withdrawal
• Financial records: As required by tax and accounting laws
• Employment records: As required by labor laws
• System logs: 12 months for security and compliance purposes

Secure Deletion

• Data is securely deleted when no longer needed
• Multiple-pass deletion to prevent recovery
• Backup data purged according to retention schedules
• Hardware decommissioned securely

Data Export

• Schools can export their data at any time
• Standard formats for easy data portability
• Assistance provided during data migration

Transparency and Accountability

Security Updates

We are committed to transparency about our security practices:

• Regular security bulletins and updates
• Clear communication about any security-related changes
• Open dialogue with our user community
• Responsive to security concerns and questions

Continuous Improvement

• Regular review and enhancement of security measures
• Adoption of emerging security technologies
• Learning from industry trends and incidents
• Feedback-driven security improvements

Report Security Concerns

If you discover a security vulnerability or have security concerns, please contact us immediately:

We appreciate responsible disclosure and will work with security researchers to address any vulnerabilities promptly.