Security posture
How AcroTechnical EduConsult protects student records, counselling notes, and institutional data at platform scale.
Security your DPO can review and sign off on.
Encryption, access control, audit logging, incident response, and infrastructure — designed for Nigerian tertiary institutions and reviewed quarterly by our security committee.
Encryption
In transit
All traffic to AcroTechnical is encrypted using TLS 1.3 with forward secrecy. HSTS is enforced; HTTP is redirected. Internal service-to-service traffic uses mutual TLS within a private Nigerian VPC.
At rest
Student records, counselling notes, and AI conversation logs are encrypted at rest with AES-256-GCM. Per-tenant data encryption keys are wrapped by a customer-partitioned KEK managed in Nigerian-region HSMs. Backups are encrypted with independent keys rotated quarterly.
Access control
Platform users
Role-based access at the row level — students see their own record, counsellors see their assigned caseload, institution admins see their faculty, super admins see their tenant scope. MFA is mandatory for all counsellor and admin accounts. SSO is supported via SAML and OpenID Connect.
AcroTechnical staff
Least-privilege access to customer data requires a ticketed break-glass request with dual approval (engineering lead + DPO). All access is time-boxed, logged, and reviewed monthly by the security committee. Production-data debugging uses redacted datasets by default.
Audit logging
What's logged
Every authentication, permission change, student record access, counselling note edit, AI prompt, AI retrieval, and AI response. Logs are signed and stored in an append-only, write-once store in a separate account from production.
Retention & access
Logs are retained 7 years. Institutions can export their own audit trail through the super-admin console at any time — NDPR data-subject access requests can be fulfilled from the log alone.
Incident response
Detection
24/7 automated monitoring: authentication anomalies, data-access spikes, AI safety-filter bypasses. Tier-1 on-call coverage is staffed in Lagos; tier-2 escalation to engineering leads and the security committee.
Notification
Under NDPR and the NDPA 2023 we notify affected institutions within 72 hours of confirming a qualifying breach, with a preliminary report including scope, root cause hypothesis, and remediation steps. A full post-incident review is shared within 30 days.
Infrastructure
Nigerian data residency
Primary production runs in Lagos with a secondary availability zone. Backups and disaster recovery replicate to an Abuja region. Student records never leave Nigerian data-residency regions. A limited set of operational telemetry (error reporting, email delivery) transits through vetted processors outside Nigeria — minimised and non-sensitive.
Environment separation
Production, staging, and development run in isolated accounts with separate IAM, separate networks, and separate keys. Customer data never lands in non-production environments; synthetic datasets (including realistic Nigerian seed data) are used instead.
Pen testing & vulnerability management
External testing
Annual penetration test by an independent NITDA-accredited firm, with scope covering authentication, tenancy isolation, AI prompt/retrieval surfaces, and the employer API. Summary reports are available under NDA to institutional procurement teams.
Ongoing programme
Continuous dependency scanning, weekly static analysis, and a responsible-disclosure programme at security@acrotecheduconsult.com. Critical fixes ship within 48 hours; high within 7 days.
Responsible disclosure
Report security issues to security@acrotecheduconsult.com. We acknowledge within 24 hours and triage within 3 business days.