โ† All Policies
๐Ÿ” Infrastructure

Security & Data Protection

How Edsteps protects your data at every layer โ€” from infrastructure to access controls and incident response.

Effective: 1 May 2026
Last Updated: 1 May 2026
Version 1.0
Contents

Edsteps handles personal information from students at critical decision points in their lives. We take that responsibility seriously. This Security & Data Protection policy describes the technical, organisational, and procedural measures we put in place to protect your data against unauthorised access, loss, or misuse.

๐Ÿ”Our Security Commitment

Security at Edsteps is not a checklist โ€” it is a continuous practice. We apply security thinking to every system, integration, and process that handles student data. Our security programme is built on three principles:

  • Minimal data collection โ€” we only collect what is necessary to deliver platform services
  • Layered protection โ€” multiple independent controls reduce the impact of any single failure
  • Continuous improvement โ€” security posture is reviewed and updated regularly as threats evolve

No system is completely immune to security risks. Our commitment is to apply industry best practices diligently and to respond swiftly and transparently when issues arise.

๐Ÿ–ฅTechnical Safeguards

The Edsteps platform is built on infrastructure designed with security as a foundation:

  • All platform traffic is served exclusively over HTTPS with TLS 1.2 or higher
  • Platform infrastructure is hosted on reputable cloud providers with ISO 27001 and SOC 2 certifications
  • Regular automated vulnerability scanning is applied to all platform components
  • Penetration testing is conducted periodically by independent security teams
  • Firewalls, intrusion detection systems, and rate-limiting controls are applied at the network layer
  • System logs are monitored continuously for anomalous activity

๐Ÿ”’Data Encryption

Your data is protected by encryption at rest and in transit:

  • In transit: All data transmitted between your device and Edsteps servers is encrypted using TLS
  • At rest: Sensitive data stored in our databases is encrypted using AES-256 or equivalent standards
  • Passwords: User passwords are never stored in plain text โ€” they are hashed using strong cryptographic algorithms
  • Payment data: No full card details are stored by Edsteps; payment processing is handled by PCI-DSS compliant providers

๐Ÿ—Access Controls

Access to user data within the Edsteps organisation is strictly controlled:

  • Access to production systems is granted on a least-privilege basis โ€” only to team members who require it for their role
  • Multi-factor authentication is required for all internal system access
  • Access permissions are reviewed regularly and revoked promptly when no longer needed
  • All internal access to user data is logged and auditable
  • Third-party access to data is governed by data processing agreements

No Edsteps team member accesses individual user data without a legitimate operational reason. Ad-hoc browsing of student data is strictly prohibited and enforced through access controls and audit logging.

๐Ÿ“…Data Retention

We retain your data only for as long as necessary to provide services or meet legal obligations:

  • Active account data is retained for the duration of your platform membership
  • Following account deletion, personal data is removed within 30 days unless retention is required by law
  • Transaction and billing records may be retained for up to 7 years for legal and financial compliance
  • Aggregated, anonymised analytics data (which cannot identify individuals) may be retained indefinitely
  • Session logs and security audit trails are retained for a maximum of 12 months

๐Ÿ”—Third-Party Security

Edsteps integrates with third-party services for payments, analytics, email, and cloud infrastructure. All third-party providers are evaluated for security posture before onboarding and are required to meet minimum security standards:

  • All data processors are bound by Data Processing Agreements (DPAs)
  • Third-party providers are required to maintain appropriate security certifications
  • Data shared with third parties is limited to what is strictly necessary for the service
  • We review third-party security practices periodically and on contract renewal

๐ŸšจIncident Response

In the event of a security incident affecting user data, Edsteps follows a structured incident response process:

  • Immediate containment of the incident to prevent further exposure
  • Assessment of the scope, nature, and impact of the incident
  • Notification to affected users within 72 hours where a breach poses risk to their rights and freedoms
  • Notification to relevant regulatory authorities in line with applicable data protection law
  • Post-incident review and remediation to prevent recurrence

We are committed to communicating security incidents with transparency and clarity โ€” not minimising or obscuring what happened.

๐Ÿ‘คYour Responsibilities

Platform security is a shared responsibility. We ask users to:

  • Use a strong, unique password for your Edsteps account
  • Enable two-factor authentication when available
  • Never share your login credentials with others
  • Log out of shared devices after using the platform
  • Report any suspicious activity or suspected unauthorised access immediately

โœ‰๏ธContact Security Team

If you have discovered a potential security vulnerability, have concerns about how your data is protected, or want to report a suspected breach, please contact us immediately:

  • Security issues: security@edsteps.com
  • General data protection: privacy@edsteps.com
  • Response time for security reports: within 24 hours

Found a security issue?

We take all security reports seriously and will investigate promptly. Responsible disclosure is always appreciated.

Contact Security Team โ†’