Security Practices

Last updated: January 1, 2025

1. Security Overview

SMERP EDU employs a defense-in-depth approach to security, implementing multiple layers of protection across our infrastructure, applications, and operations. Our security program is designed to meet the requirements of educational institutions and comply with regulations including GDPR, FERPA, COPPA, and SOC 2.

2. Certifications and Compliance

3. Infrastructure Security

3.1 Cloud Infrastructure

Our services are hosted on enterprise-grade cloud platforms (Google Cloud Platform and Microsoft Azure) that provide:

• SOC 1/2/3 and ISO 27001 certified data centers
• Physical security including 24/7 monitoring, biometric access, and security personnel
• Redundant power supplies and environmental controls
• Geographic redundancy across multiple regions
• DDoS protection and network-level security

3.2 Network Security

• Web Application Firewall (WAF) to protect against common attacks
• Intrusion Detection and Prevention Systems (IDS/IPS)
• Network segmentation and micro-segmentation
• Private networking between services
• Regular vulnerability scanning and penetration testing

3.3 Data Center Locations

We offer data residency options in the following regions:

• Middle East (UAE, Saudi Arabia)
• Europe (Netherlands, Germany, UK)
• North America (USA, Canada)
• Asia Pacific (Singapore, Australia)

4. Data Protection

4.1 Encryption

4.2 Data Classification

We classify data into sensitivity levels and apply appropriate protections:

• Highly Sensitive: SSN, financial data, health records - field-level encryption, strict access controls
• Sensitive: Academic records, contact information - encryption, role-based access
• Internal: System configurations - encryption, authenticated access
• Public: Marketing content - standard protection

4.3 Data Backup and Recovery

• Automated daily backups with point-in-time recovery
• Encrypted backup storage in geographically separate locations
• 30-day backup retention (configurable for Enterprise)
• Regular backup restoration testing
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

5. Application Security

5.1 Secure Development

• Security training for all developers
• Secure coding guidelines based on OWASP
• Code review requirements before deployment
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency vulnerability scanning
• Container image scanning

5.2 Authentication and Access Control

• Multi-factor authentication (MFA) support
• Single Sign-On (SSO) via SAML 2.0 and OAuth 2.0
• Role-based access control (RBAC) with granular permissions
• Session management with automatic timeout
• Password policies enforcing complexity requirements
• Account lockout after failed attempts
• API authentication via OAuth 2.0 and API keys

5.3 Protection Against Common Threats

6. Operational Security

6.1 Monitoring and Logging

• 24/7 security monitoring and alerting
• Centralized log management with tamper protection
• Security Information and Event Management (SIEM)
• Anomaly detection for unusual activity
• Audit logs for all administrative actions
• Log retention: 90 days online, 1 year archived

6.2 Vulnerability Management

• Weekly automated vulnerability scans
• Annual third-party penetration testing
• Bug bounty program for responsible disclosure
• Patch management with defined SLAs:
  • Critical: 24 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

6.3 Incident Response

We maintain a formal incident response plan that includes:

• Defined incident classification and escalation procedures
• 24/7 on-call security team
• Communication protocols for affected customers
• Post-incident analysis and remediation
• Regular tabletop exercises and plan testing

7. Employee Security

7.1 Personnel Security

• Background checks for all employees
• Confidentiality agreements
• Security awareness training at onboarding
• Annual security refresher training
• Phishing simulation exercises
• Clean desk policy

7.2 Access Management

• Principle of least privilege
• Just-in-time access for production systems
• Quarterly access reviews
• Immediate access revocation on termination
• Separate development and production environments

8. Third-Party Security

We assess and monitor the security of our vendors and partners:

• Security assessment before onboarding
• Contractual security requirements
• Annual security review of critical vendors
• Data Processing Agreements where applicable

9. Business Continuity

• Documented Business Continuity Plan (BCP)
• Disaster Recovery Plan with defined RTO/RPO
• Geographic redundancy for critical systems
• Annual BCP/DR testing
• Failover procedures and runbooks

10. Security for Customers

10.1 Security Features Available to You

• Multi-factor authentication
• Single Sign-On integration
• IP allowlisting
• Session management controls
• Audit logs and activity reports
• Data export capabilities
• Custom password policies (Enterprise)

10.2 Security Recommendations

We recommend the following security practices:

• Enable MFA for all administrator accounts
• Use SSO where possible
• Review user access quarterly
• Train staff on security awareness
• Use strong, unique passwords
• Keep your systems and browsers updated

11. Reporting Security Issues

We take security reports seriously. If you discover a security vulnerability, please report it responsibly:

12. Security Documentation

Enterprise customers may request additional security documentation including:

• SOC 2 Type II report
• ISO 27001 certificate
• Penetration test executive summary
• Security questionnaire responses (SIG, CAIQ, custom)

Contact legal@smerptek.com to request these documents under NDA.

13. Updates to This Document

We continuously improve our security practices. This document is updated periodically to reflect current measures. Material changes will be communicated to customers.