Product Security

AcademIQ’s product security initiatives are designed to assess the security and privacy implications of new features and products during development, enabling our engineering team to enhance the platform safely and responsibly.

Secure Software Development Lifecycle

We conduct an application security review for all new development projects, incorporating threat modeling and code reviews. Significant changes trigger dedicated security design reviews. Our secure code review process flags high-risk code for manual inspection by security experts. Additionally, we integrate automated tools into our build pipeline to detect potential vulnerabilities.

All new engineering hires are required to review our secure coding guidelines, which are tailored to our technology stack and available in our internal knowledge portal. These guidelines include training on key topics such as OWASP’s Top Ten risks, including SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).

Infrastructure Security

Our infrastructure security strategy is designed to empower our engineering teams by delivering the tools, systems, processes, and knowledge needed to build secure, privacy-focused solutions. AcademIQ’s infrastructure is entirely cloud-based, hosted on Microsoft Azure. Azure complies with a broad range of industry security standards, including SOC 1/SSAE 16/ISAE 3402, SOC 2, PCI DSS Level 1, ISO 27001, and FISMA. For more information, refer to the Azure compliance documentation on Microsoft Learn.

Vulnerability Scanning

We use automated security scanning tools to promptly detect changes or activities in our infrastructure that could pose security risks. Our security team routinely reviews and triages scan results to ensure timely and appropriate responses.

Change Management

Our infrastructure follows a structured change management process that includes source code control, peer code reviews, logging, and alerting for anomalous behavior. All production changes are deployed through an automated system that monitors for reliability issues and automatically rolls back problematic deployments. This automation enables us to deploy code to production safely and reliably, multiple times per day.

Availability and Disaster Recovery

AcademIQ maintains an uptime of 99.9% or higher. To protect our infrastructure from automated Denial of Service (DoS) attacks, we’ve implemented a robust set of tools and practices. As a fully cloud-based platform, our disaster recovery strategy follows Azure’s resiliency best practices, including the use of multiple availability zones to mitigate risks from single data center failures.

We regularly create secure data backups through our cloud provider, retaining them only as long as necessary — and never beyond 30 days. All backups are securely deprovisioned in accordance with cloud provider protocols.

Data Encryption in Storage and Transit

AcademIQ encrypts all Personally Identifiable Information (PII) both in transit — outside our private network — and at rest within it. We use robust cryptographic standards, including AES-256-GCM. Our TLS configuration for AcademIQ.school earns an 'A' rating from SSL Labs, and we enforce HTTPS through HTTP Strict Transport Security (HSTS) to ensure secure connections.

Data Isolation

AcademIQ uses logical separation to process data in a multi-tenant environment. Code-level access controls are tested before every production deployment. Data processing takes place in containerized environments with restricted external access. Services use ephemeral credentials for accessing data stores, and all data is stored exclusively within South Africa.

Network Isolation

To safeguard network services, AcademIQ deploys them within a Virtual Network (VPC), blocking all external traffic by default. Access to the production network is restricted to authorized personnel, logged, and protected by multi-factor authentication. All system-level access is gated through a bastion SSH host for enhanced security.

Logging

AcademIQ maintains centralized logging for both product and infrastructure-related events and metrics. All privileged system-level actions in production are recorded to ensure traceability and accountability.

Threat Detection

We have active monitoring, alerting, and incident response processes in place to detect and respond to suspicious activity across our infrastructure.

IT Security

Our IT security practices are designed to reduce complexity and help employees work securely without friction. The security team equips staff with the right tools, promotes open communication, and provides clear guidance behind every security decision.

Policies and Standards

Our information security policy is accessible via our internal knowledge portal. It includes a Data Classification Standard that outlines the various data types our employees handle and how each should be protected.

Device Policies

All devices with access to sensitive data must adhere to our configuration standards, including full disk encryption, automatic screen locks, and remote wipe capabilities. Our policy also governs approved software and update practices.

Account Policies

AcademIQ requires all passwords to be securely stored and generated via a password manager, and mandates the use of two-factor authentication (2FA) for sensitive accounts. OAuth authorization policies are in place for critical systems like GSuite, along with anti-phishing best practices. Employee accounts are provisioned and deprovisioned using automated processes where feasible.