How we protect your school’s data.
WEBNIFY is a multi-tenant school management platform built on India’s Digital Personal Data Protection Act, 2023 from the ground up. Every record carries a tenant identifier and every query is scoped to that tenant — so a school in Guwahati can never see a school in Delhi by accident. Data is encrypted at rest and in transit (TLS 1.3, HSTS preload). Sessions use JSON Web Tokens with 1-day rotation and role-based access control. Every privileged action — fee receipts, mark-sheet edits, payroll changes — is written to an append-only audit log, never silent overwrites. Backups are daily, versioned for 30 rolling days, restore-tested monthly, and stored encrypted in a different region. Schools can export every record at any time, free.
Last updated: 26 April 2026
Six structural protections.
These aren’t add-on security features. They’re how the platform was architected on day one.
Tenant isolation at the data layer
Every model in our database carries a `db` column. Every query is filtered by `db` before any data is read. A school in Guwahati can never see a school in Delhi, even by accident — the isolation is structural, not a permission flag that can be flipped.
Encryption in transit and at rest
All traffic between schools, our app and our database is HTTPS/TLS 1.3. Database backups, file storage, and caches are encrypted at rest. We use HSTS preload so browsers refuse to talk to webnify.org.in over plain HTTP at all.
JWT with rotation, RBAC roles
Sessions use JSON Web Tokens with 1-day rotation. Permissions are role-based — Owner, Principal, Vice-Principal, Teacher, Accountant, Librarian, Lab-Assistant, Transport, Support — enforced in middleware on every API call. No "admin can do anything" backdoor.
Audit log on every privileged action
Fee receipts, mark-sheet edits, teacher payroll changes, role assignments and tenant configuration are all written to an append-only audit log. Edits are recorded as new events, never silent overwrites — even an admin cannot rewrite history.
Daily versioned backups
Database is snapshotted daily and retained for 30 rolling days. Restore-tested monthly. Backups are encrypted and stored in a different region from the live database. Schools can request a full data export at any time, free.
Minimal cookie footprint
We set only the cookies necessary to keep a session alive and (when explicitly enabled by the school) anonymous analytics. No cross-site tracking, no advertising cookies, no fingerprinting libraries.
Your rights under DPDP Act 2023.
India’s Digital Personal Data Protection Act, 2023 gives every data principal (student, parent, staff member) specific rights over their data. WEBNIFY respects them.
- Right to access — students, parents and staff can request all data we hold about them.
- Right to correction — a school admin can update any record; the audit log preserves the history.
- Right to erasure — schools can request graduated-student data archival or full deletion.
- Right to portability — full export to CSV / JSON / Tally XML, free, on demand.
- Right to grievance redressal — escalate to the Data Protection Officer at the email below.
Reporting an incident
If you believe your school’s data has been exposed, lost, or accessed inappropriately, contact us immediately. We commit to acknowledge within 4 working hours and provide a written incident report within 72 hours, in line with DPDP Act 2023 obligations.
Need a copy of our security policy?
Email support@webnify.co.in with your school’s name and we’ll send the full security & privacy policy PDF, our DPIA template, and a sample data-processing agreement within 24 hours.