Last updated: July 18, 2026
Roxan Education OS is committed to the highest standards of data protection. As a multi-tenant education platform handling sensitive student, staff, and institutional data, we recognize the critical importance of data security and compliance with international data protection regulations including GDPR (for EU-based users), Ghana's Data Protection Act (Act 843), and COPPA (for US-based institutions serving children under 13).
Each subscribing institution is the Data Controller for the personal data of its students, staff, and parents. Roxan acts as the Data Processor, processing data on behalf of institutions according to their instructions and these policies. A formal Data Processing Agreement (DPA) is executed with each institution at provisioning time.
Each institution operates in a fully isolated database environment (Neon PostgreSQL branch). There is no shared data layer between tenants. Access controls are enforced at the infrastructure level, not just the application level.
All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Authentication tokens are cryptographically signed and have configurable expiration periods.
Role-Based Access Control (RBAC) ensures users only access data relevant to their role. The permission matrix is configurable per institution. Audit logs track all data access and modifications.
Our infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II compliance. We conduct regular penetration testing, vulnerability scanning, and security audits. Automated backup systems ensure data recovery capability.
Data subjects (students, parents, staff) can exercise their rights through their institution's administrator. Rights include:
Requests are processed within 30 days. Institutions can perform bulk data exports from their admin dashboard at any time.
In the event of a data breach, we follow a strict incident response procedure:
Where data is transferred across international borders, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions. Our primary infrastructure is located in regions that provide adequate protection for personal data.
Our Data Protection Officer oversees compliance with this policy and applicable data protection laws. Contact: dpo@roxan.com
This Data Protection Policy is reviewed quarterly and updated as needed to reflect changes in our practices, regulatory requirements, or industry standards. All institution administrators are notified of material changes.