Data Protection & Security

Last Updated: January 1, 2025

Security Notice: At smartEdu, we employ enterprise-grade security measures to protect your educational data and ensure compliance with Vietnamese data protection regulations.

1. Data Protection Framework

Our data protection strategy is built on the principles of Privacy by Design and Security by Default, ensuring that data protection measures are integrated into all aspects of our system from the ground up.

1.1 Compliance Standards

  • Vietnamese Personal Data Protection Law - Full compliance with national regulations
  • Education Sector Data Standards - Adherence to Ministry of Education guidelines
  • ISO 27001 - Information security management standards
  • COPPA - Children's Online Privacy Protection Act compliance
  • FERPA - Family Educational Rights and Privacy Act principles

2. Technical Security Measures

2.1 Data Encryption

  • Encryption in Transit: TLS 1.3 encryption for all data transmissions
  • Encryption at Rest: AES-256 encryption for all stored data
  • Database Encryption: MongoDB Atlas encryption with customer-managed keys
  • Backup Encryption: All backups are encrypted with separate encryption keys

2.2 Access Control & Authentication

  • Multi-Factor Authentication (MFA): Required for all administrative accounts
  • Role-Based Access Control (RBAC): Granular permissions based on user roles
  • JWT Token Security: Secure session management with token expiration
  • Password Security: Bcrypt hashing with salt for all passwords
  • Session Management: Automatic logout and session timeout mechanisms

2.3 Infrastructure Security

  • Vietnam-Based Hosting: Data stored exclusively in Vietnamese data centers
  • GovCloud Infrastructure: Government-approved cloud infrastructure
  • Network Security: Firewalls, DDoS protection, and intrusion detection systems
  • Container Security: Docker containerization with security scanning
  • Load Balancing: Distributed architecture for high availability

3. Data Governance

3.1 Data Classification

Data TypeClassificationProtection Level
Student Educational RecordsHighly SensitiveMaximum Security
Personal Identification DataSensitiveHigh Security
Communication RecordsConfidentialStandard Security
System LogsInternalBasic Security

3.2 Data Lifecycle Management

  • Data Collection: Minimal data collection principle - only necessary information
  • Data Processing: Purpose limitation - data used only for stated purposes
  • Data Storage: Secure storage with regular integrity checks
  • Data Retention: Automated deletion based on retention policies
  • Data Disposal: Secure deletion with cryptographic erasure

4. Privacy Protection Measures

4.1 Data Anonymization & Pseudonymization

  • Analytics Data: Personal identifiers removed from analytical datasets
  • Research Data: Anonymized data for educational research purposes
  • Reporting: Aggregated data only for institutional reporting
  • Third-Party Sharing: Pseudonymized data for approved educational purposes

4.2 Student Privacy Protections

  • Parental Controls: Parents can access and control their children's data
  • Age-Appropriate Design: Special protections for users under 18
  • Educational Focus: Data use limited to educational purposes only
  • No Profiling: No automated decision-making that affects students
  • Transparent Processing: Clear information about how data is used

5. Security Monitoring & Incident Response

5.1 Continuous Monitoring

  • 24/7 Security Monitoring: Real-time threat detection and response
  • Vulnerability Scanning: Regular automated security assessments
  • Penetration Testing: Quarterly third-party security testing
  • Audit Logging: Comprehensive logging of all system activities
  • Anomaly Detection: AI-powered detection of unusual access patterns

5.2 Incident Response Plan

In case of a security incident:

  1. Immediate Containment: Isolate affected systems within 1 hour
  2. Assessment: Evaluate scope and impact within 4 hours
  3. Notification: Inform affected users within 24 hours
  4. Remediation: Implement fixes and security improvements
  5. Post-Incident Review: Analyze and improve security measures

6. Third-Party Security

All third-party integrations undergo rigorous security assessments:

6.1 Approved Integrations

  • MongoDB Atlas: SOC 2 Type II certified database hosting
  • Vercel/Railway: Enterprise-grade application hosting
  • Stripe: PCI DSS compliant payment processing
  • ViettelPay/Momo: Licensed Vietnamese payment providers
  • Education Database: Government-approved system integrations

6.2 Vendor Security Requirements

  • Data Processing Agreements (DPA) with all vendors
  • Regular security assessments and audits
  • Compliance with Vietnamese data protection laws
  • Incident notification requirements
  • Right to audit vendor security practices

7. User Security Best Practices

Help us protect your data by following these security guidelines:

For Students & Parents:

  • Use strong, unique passwords for your account
  • Never share your login credentials with others
  • Log out from shared computers
  • Report suspicious activities immediately
  • Keep your contact information updated

For Teachers & Staff:

  • Enable multi-factor authentication
  • Use encrypted devices for accessing student data
  • Follow data handling policies strictly
  • Report data breaches within 1 hour
  • Complete annual security training

8. Data Subject Rights

You have the following rights regarding your personal data:

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of personal data
  • Right to Restriction: Limit how your data is processed
  • Right to Data Portability: Receive data in a machine-readable format
  • Right to Object: Object to certain processing activities

9. Regular Security Audits

We conduct comprehensive security assessments:

  • Monthly: Vulnerability scans and patch management
  • Quarterly: Penetration testing by certified security firms
  • Annually: Full security audit and compliance assessment
  • Continuous: Automated security monitoring and threat detection

10. Contact Security Team

For security concerns, data protection inquiries, or to report security incidents:

  • Security Team: security@smartedu.vn
  • Data Protection Officer: dpo@smartedu.vn
  • Incident Reporting: incident@smartedu.vn
  • 24/7 Security Hotline: +84 (365) 629 897
  • Emergency Contact: Available 24/7 for critical security issues

Transparency Report: We publish annual transparency reports detailing our security measures, incident statistics, and compliance updates. These reports are available upon request.

← Privacy Policy
Terms of ServiceBack to Home →