Skip to main content
S
StudAI BOS

Security Policy

Last updated: February 2026 · StudAI Technologies Pvt. Ltd.

1. Overview

Security is foundational to the StudAI BOS platform. We adopt a security-by-design approach, embedding security controls at every layer of our architecture—from infrastructure and application code to operational processes and personnel management.

This policy outlines the technical and organizational measures we implement to protect the confidentiality, integrity, and availability of customer data and the Service.

2. Infrastructure

StudAI BOS is hosted exclusively on Microsoft Azure India (Central India and South India regions), leveraging Azure’s enterprise-grade infrastructure:

  • Virtual Network (VNet) Isolation: All production resources are deployed within isolated virtual networks with strict network security group (NSG) rules and private endpoints.
  • Web Application Firewall (WAF): Azure Front Door with WAF policies protects against OWASP Top 10 threats, SQL injection, cross-site scripting (XSS), and other common attack vectors.
  • DDoS Protection: Azure DDoS Protection Standard provides volumetric and protocol-level attack mitigation.
  • Private Endpoints: Database, cache, and storage services are accessible only through private endpoints, eliminating public internet exposure.
  • Infrastructure as Code: All infrastructure is defined and managed through version-controlled templates, ensuring consistent and auditable deployments.

3. Authentication

  • JSON Web Tokens (JWT): Stateless authentication with short-lived access tokens and secure refresh token rotation.
  • Role-Based Access Control (RBAC): Granular role assignments (Organization Admin, Department Head, Team Lead, Member) control access to features and data.
  • Attribute-Based Access Control (ABAC): Fine-grained access decisions based on user attributes, resource properties, and environmental conditions.
  • Multi-Factor Authentication (MFA): Supported for all users; mandatory for Organization Administrators and users with elevated privileges.
  • Session Management: Configurable session timeouts, concurrent session limits, and the ability to revoke sessions remotely.
  • Password Policy: Minimum 12-character passwords with complexity requirements, breach-database checking, and rate-limited authentication attempts.

4. Encryption

  • At Rest: All data stored in databases, object storage, and backups is encrypted using AES-256 encryption with platform-managed keys. Enterprise customers may configure customer-managed encryption keys (CMEK).
  • In Transit: All network communications are encrypted using TLS 1.3. We enforce HTTP Strict Transport Security (HSTS) with a minimum max-age of one year.
  • Key Management: Encryption keys are managed through Azure Key Vault with hardware security module (HSM) backing, automatic rotation, and comprehensive access logging.

5. Access Control

We enforce the principle of least privilege across all systems:

  • Access to production systems is restricted to authorized personnel with a documented business need.
  • All production access requires multi-factor authentication and is routed through a bastion host with just-in-time (JIT) access provisioning.
  • Administrative actions are subject to comprehensive, immutable audit logging that captures the actor, action, target, timestamp, and source IP.
  • Access reviews are conducted quarterly to ensure access rights remain current and appropriate.
  • Service accounts use managed identities with minimal required permissions and no long-lived credentials.

6. Incident Response

Our incident response program follows a structured process:

  1. Detection: Continuous monitoring through Azure Security Center, Azure Sentinel (SIEM), and application-level anomaly detection. Automated alerts for suspicious activities, unauthorized access attempts, and anomalous data flows.
  2. Containment: Immediate isolation of affected systems to prevent further damage. Preservation of forensic evidence for investigation.
  3. Notification: Affected customers are notified within 72 hours of confirmed breach in accordance with the DPDP Act. Regulatory authorities are notified as required by law.
  4. Eradication & Recovery: Root cause analysis, remediation of vulnerabilities, system restoration from verified clean backups.
  5. Post-Mortem: Detailed incident report shared with affected customers, including timeline, root cause analysis, impact assessment, and preventive measures implemented.

7. Vulnerability Management

  • Automated Scanning: Regular vulnerability scans of infrastructure, application code, and third-party dependencies using industry-standard tools.
  • Penetration Testing: Annual penetration tests conducted by qualified third-party security firms. Additional testing performed after significant architectural changes.
  • Dependency Management: Automated monitoring and patching of third-party libraries and dependencies to address known vulnerabilities.
  • Patch Management: Critical security patches are applied within 24 hours. High-severity patches within 72 hours. All other patches within 30 days.

Responsible Disclosure Program

We welcome responsible security research. If you discover a security vulnerability in the StudAI BOS platform, please report it to security@studai.in.

We request that you:

  • Allow us reasonable time (90 days) to investigate and address the vulnerability.
  • Avoid accessing data that does not belong to you.
  • Do not publicly disclose the vulnerability before we have had the opportunity to remediate it.

We will acknowledge your report within 48 hours and keep you informed of our progress.

8. Employee Security

  • Background Checks: All employees with access to customer data or production systems undergo background verification prior to onboarding.
  • Security Training: Mandatory security awareness training upon hiring and annually thereafter. Role-specific training for engineering and operations staff.
  • Confidentiality Agreements: All employees and contractors sign non-disclosure and confidentiality agreements (NDAs) prior to accessing any customer data or proprietary systems.
  • Offboarding: Access to all systems is revoked immediately upon termination. Exit procedures include return of all company assets and equipment.

9. Business Continuity

  • Backup Strategy: Automated daily backups with point-in-time recovery capability. Backups are encrypted and stored in a geographically separate Azure region.
  • Recovery Time Objective (RTO): Target of 4 hours for critical service components; 24 hours for non-critical components.
  • Recovery Point Objective (RPO): Target of 1 hour for databases; 24 hours for object storage.
  • Disaster Recovery: Active failover capability to Azure South India region. Disaster recovery procedures are tested semi-annually.
  • Redundancy: Application layer deployed across multiple availability zones with automatic health-check-based failover.

10. Responsible Disclosure

Security researchers and users who identify potential vulnerabilities are encouraged to report them responsibly:

Security Team

Email: security@studai.in

Response Time: Acknowledgement within 48 hours; resolution timeline communicated within 5 business days.