Security

Table of contents (9 sections)

SECURITY

Applies to the School Ops AIOS platform

This English version is provided for convenience. If there is any inconsistency, the Vietnamese version will prevail to the extent permitted by applicable law.

1. Security commitment

At School Ops AIOS, customer data security is a top priority. We aim to apply technical and organizational measures aligned with industry good practices to protect the confidentiality, integrity, and availability of data, in accordance with the Personal Data Protection Law 2025 (Law No. 91/2025/QH15), Decree 356/2025/ND-CP, and the Cybersecurity Law 2018.

This page provides an overview of our security approach. Some technical details may be kept confidential to preserve system safety.

2. Data encryption

  • In transit: connections between browsers and servers are implemented, or planned to be implemented, via TLS/HTTPS.
  • At rest: sensitive data and backups are planned to be encrypted when stored according to the deployment scope.
  • Passwords: where password-based login is used, passwords must be hashed using secure algorithms and not stored in plaintext.

3. Access control

  • Authentication uses mechanisms appropriate to each deployment; two-factor authentication (2FA) is recommended where available.
  • Role-based access control is applied within each organization.
  • Least privilege principle: personnel access data only when needed for their duties.
  • Important access activities are logged for monitoring and investigation.

4. Infrastructure and operations

  • Deployment prioritizes reputable infrastructure providers with appropriate security controls.
  • Development, testing, and production environments are separated.
  • Firewalls, network controls, and security monitoring are applied according to the deployment scope.
  • Software and dependencies are updated and patched periodically.

5. Backup and recovery

  • Data is planned to be backed up periodically to reduce risk of loss.
  • Recovery procedures and continuity plans are maintained for incidents.

6. Monitoring and incident response

We aim to monitor systems to detect abnormal activity. If a personal data breach occurs, we will:

  • Implement remediation and harm reduction measures;
  • Notify the competent authority (Ministry of Public Security) within 72 hours of detection, in accordance with the Personal Data Protection Law 2025 and Decree 356/2025/ND-CP;
  • Notify affected users or data subjects where necessary.

7. User responsibilities

Security is a shared responsibility. We recommend that you:

  • Use strong passwords and avoid reusing them;
  • Do not share login credentials;
  • Enable two-factor authentication where available;
  • Log out on shared devices;
  • Notify us immediately if you suspect account compromise.

8. Reporting security vulnerabilities

If you discover a vulnerability or security issue, please notify us at [email protected]. We are committed to responsible handling and appreciate responsible cooperation. Please do not exploit or publicly disclose vulnerabilities before we have completed remediation.

9. Contact

See also: Privacy Policy · Terms of Service.

Questions?

Contact us to discuss security, data, or terms that fit your school.

Contact