RoxanRoxanEduOps
AboutTestimonialsContact

Data Protection Policy

Last updated: July 18, 2026

1. Our Commitment

Roxan Education OS is committed to the highest standards of data protection. As a multi-tenant education platform handling sensitive student, staff, and institutional data, we recognize the critical importance of data security and compliance with international data protection regulations including GDPR (for EU-based users), Ghana's Data Protection Act (Act 843), and COPPA (for US-based institutions serving children under 13).

2. Data Controller & Processor

Each subscribing institution is the Data Controller for the personal data of its students, staff, and parents. Roxan acts as the Data Processor, processing data on behalf of institutions according to their instructions and these policies. A formal Data Processing Agreement (DPA) is executed with each institution at provisioning time.

3. Lawful Basis for Processing

  • Contractual Necessity: Processing student and staff data is necessary for the performance of the education management contract between Roxan and the institution.
  • Legitimate Interest: Platform analytics, security monitoring, and service improvement are based on the legitimate interest of maintaining a secure, performant service.
  • Consent: Where required (e.g., marketing communications, testimonials), explicit consent is obtained and can be withdrawn at any time.
  • Legal Obligation: We may process data to comply with legal requirements, court orders, or regulatory mandates.

4. Technical Safeguards

4.1 Multi-Tenant Isolation

Each institution operates in a fully isolated database environment (Neon PostgreSQL branch). There is no shared data layer between tenants. Access controls are enforced at the infrastructure level, not just the application level.

4.2 Encryption

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Authentication tokens are cryptographically signed and have configurable expiration periods.

4.3 Access Controls

Role-Based Access Control (RBAC) ensures users only access data relevant to their role. The permission matrix is configurable per institution. Audit logs track all data access and modifications.

4.4 Infrastructure Security

Our infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II compliance. We conduct regular penetration testing, vulnerability scanning, and security audits. Automated backup systems ensure data recovery capability.

5. Data Subject Rights

Data subjects (students, parents, staff) can exercise their rights through their institution's administrator. Rights include:

  • Right of Access: Request a copy of personal data held about them
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of personal data (subject to legal retention requirements)
  • Right to Restrict Processing: Request that processing be limited
  • Right to Data Portability: Receive data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interest

Requests are processed within 30 days. Institutions can perform bulk data exports from their admin dashboard at any time.

6. Data Breach Response

In the event of a data breach, we follow a strict incident response procedure:

  • Immediate containment and assessment within 1 hour of detection
  • Notification to affected institutions within 24 hours
  • Notification to relevant supervisory authorities within 72 hours (as required by GDPR)
  • Notification to affected data subjects without undue delay where required
  • Full post-incident review and remediation report within 14 days

7. International Data Transfers

Where data is transferred across international borders, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions. Our primary infrastructure is located in regions that provide adequate protection for personal data.

8. Data Protection Officer

Our Data Protection Officer oversees compliance with this policy and applicable data protection laws. Contact: dpo@roxan.com

9. Regular Reviews

This Data Protection Policy is reviewed quarterly and updated as needed to reflect changes in our practices, regulatory requirements, or industry standards. All institution administrators are notified of material changes.

RoxanRoxan

The complete education operations system for modern institutions.

Product

  • About
  • Testimonials
  • Contact

Portals

  • Master Console

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Data Protection
© 2026 Roxan. All rights reserved.