Security | ZenCampus - School Management Software

1. Authentication

ZenCampus uses Supabase Auth as its authentication backbone, which implements the OAuth 2.0 and OpenID Connect standards. Users authenticate with email and password credentials. Upon successful login, Supabase issues a signed JSON Web Token (JWT) that is used to authorise every subsequent request.

Passwords are never stored in plaintext. Supabase hashes passwords using bcrypt before storage. We do not have access to your raw password at any point.

JWT tokens are short-lived and must be refreshed periodically
Refresh tokens are stored securely and invalidated on logout
Token issuance time (iat claim) is validated server-side on every API call
Login attempts are rate-limited by Supabase's built-in protections

2. Role-Based Access Control

Access within ZenCampus is governed by a three-tier role model. Roles are assigned by the school's Super Admin and cannot be self-elevated. Each role has a strictly defined set of permitted actions — no role can access data or operations beyond its designated scope. Students are managed as data entities within the system; they do not hold user accounts.

Role	Scope
Super Admin	Full platform access. Manages users, settings, billing, academic years, fee configuration, announcements, and all data.
Teacher	Access to assigned classes only. Can mark attendance, enter grades, create assessments, manage timetable, apply for leave, and view finance records for their students.
Parent	Read-only view of their linked child's attendance, grades, announcements, and academic calendar. Cannot modify any data.

Row-level security (RLS) policies enforced at the database layer ensure that even if an API request bypasses application-level checks, the database will not return data belonging to other schools or unauthorised users.

3. Session Management

ZenCampus provides administrators with the ability to revoke active sessions for any user at any time. When a session is revoked, the user is immediately signed out on all devices and cannot re-use any previously issued token.

Session revocation is enforced through a sessions_revoked_at timestamp stored on the user's profile. Every API request checks the token's iat (issued-at) claim against this timestamp. If the token was issued before the revocation time, the request is rejected with a 401 Unauthorised response.

Session revocation takes effect instantly — no propagation delay
Super Admins can revoke individual user sessions from the Users settings panel
Logging out from the application invalidates the refresh token server-side
Inactive sessions expire automatically per Supabase's token TTL policy

4. Data Encryption

At Rest

All data stored in the ZenCampus database — including student records, attendance data, fee information, academic grades, and personal details — is encrypted at rest using AES-256. Encryption is managed at the infrastructure level by Supabase, which runs on top of AWS.

In Transit

All communication between your browser and ZenCampus servers is encrypted using TLS 1.2 or TLS 1.3. HTTP connections are automatically redirected to HTTPS. There are no unencrypted endpoints in the platform.

WhatsApp Tokens

WhatsApp Business API credentials and phone number IDs are stored as encrypted environment variables and are never exposed in API responses or client-side code. Token values are masked in all audit log entries.

5. API Security

All ZenCampus API endpoints are protected by a layered middleware stack that runs before any business logic is executed:

Bearer token verification — every request must carry a valid JWT in the Authorization header
Role enforcement — endpoints declare the minimum role required; requests from lower-privileged roles are rejected with 403 Forbidden
HTTP method validation — endpoints only accept the methods they are designed for; unexpected methods receive 405 Method Not Allowed
Session revocation check — token issue time is compared against the user's revocation timestamp on every request
Structured error responses — error messages never leak internal stack traces, query details, or sensitive system information

Database queries use parameterised statements exclusively. String concatenation in query construction is not used anywhere in the codebase, preventing SQL injection by design.

6. Audit Logging

ZenCampus maintains a comprehensive audit log of all significant administrative actions taken within the platform. The audit trail is available to Super Admins from the Audit Log section of the dashboard.

Each log entry records:

The identity of the user who performed the action
The type of action (create, update, delete, login, export, etc.)
The affected resource and its identifier
A timestamp accurate to the millisecond
The IP address from which the request originated

Audit logs can be exported in CSV format for offline review or compliance reporting. Log entries cannot be deleted or modified by any user role within the application — they are append-only.

7. Infrastructure & Hosting

ZenCampus is hosted on Supabase, which runs on AWS infrastructure. Supabase holds SOC 2 Type II certification and applies security best practices including network isolation, automated backups, and intrusion detection.

Database backups are performed daily with a 30-day retention period
The platform targets 99.5% monthly uptime, excluding planned maintenance
Planned maintenance is communicated at least 48 hours in advance
Database connections are pooled and isolated per school (tenant isolation)
No cross-school data access is possible at the database layer

ZenCampus does not operate its own physical data centres. All infrastructure security obligations — including physical security, hardware maintenance, and network-level DDoS mitigation — are handled by Supabase and AWS.

8. Communications Security

ZenCampus integrates with the WhatsApp Business API to deliver attendance alerts and school announcements to parents. This integration is built with the following security controls:

WhatsApp API tokens are stored server-side as encrypted environment variables and are never exposed to the browser
Only Super Admins can configure or view WhatsApp integration settings
Outbound messages are sent through Meta's official Business API — ZenCampus does not relay messages through any third-party proxy
Message delivery status and errors are logged but do not include message content in the audit log
Phone numbers are stored with school-scoped isolation; one school cannot access another school's contact lists

9. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in ZenCampus, please report it to us before public disclosure so we can investigate and remediate the issue.

How to report

Email security@zencampus.in with a clear description of the vulnerability
Include steps to reproduce, affected endpoints or pages, and potential impact
Do not access, modify, or exfiltrate data belonging to other users while investigating
Do not perform denial-of-service testing or social engineering against our team or users

Our commitment

We will acknowledge your report within 2 business days
We will provide an update on remediation progress within 10 business days
We will not pursue legal action against researchers acting in good faith under these guidelines
We will credit researchers in our release notes where appropriate and with their consent

10. Contact

For security-related questions or to report a vulnerability:

Security reports: security@zencampus.in
General enquiries: hello@zencampus.in
Phone: +91 98765 43210 (Mon–Fri, 9am–6pm IST)

Security at ZenCampus