Security Policy

Asset Pilot EDU is operationally structured to support secure institutional technology operations. This policy describes security practices designed to protect platform integrity, institutional data, and user access.

Role-based access governs administrator, staff, parent, and leadership visibility. Parent accounts are scoped to linked students. Privileged actions require authenticated sessions with institutional credentials.

Sessions use HTTP-only cookies with server-side validation. Production environments require configured server secrets. Login attempts are rate-limited to mitigate brute-force access.

All production traffic is transmitted over TLS. Database connections use encrypted channels to US-hosted PostgreSQL infrastructure.

Device changes, repair actions, form signatures, and administrative operations are logged with timestamps to support institutional governance review and accountability.

Platform health is monitored continuously. Operational status is published at /status. Security inquiries and incident reports may be directed to security@assetpilotedu.com.

Demo accounts operate on isolated sample data and do not read or write live production records.

Infrastructure providers are selected for operational reliability and US data residency. Subprocessor details are documented in the Privacy Policy.