Security & privacy

Security and data privacy.

Updated · 19 April 2026

Where your data lives

All Inkwelly data is hosted in AWS ap-south-1 (Mumbai). Data never leaves India. This matters for schools subject to DPDP (Digital Personal Data Protection Act, 2023) and for international schools whose parents ask about data residency.

Encryption

  • In transit: 256-bit TLS 1.2+ on every request. Modern ciphers only.
  • At rest: AES-256 encryption for database, file storage, and backups.
  • Secrets: Managed by AWS KMS with strict IAM policies. No secret ever in source code.
  • Backups: Daily, encrypted, 30-day retention; stored in a separate AWS region for disaster recovery.

Multi-tenant isolation

Every school is a distinct tenant. Data access is enforced at the database query level on every single request — there is no shared-state path that would let one school's data leak into another's queries. Our engineering reviews specifically check for tenant-isolation correctness on every change.

Role-based access control

Every user has a role (principal, admin, teacher, accountant, parent, student, driver) with granular permissions. A teacher cannot see fees. An accountant cannot see marks entry. A parent can only see their own child's data. Permissions are enforced server-side, not just hidden in the UI.

Authentication

  • Email and phone-number-based authentication with OTP on SMS or WhatsApp.
  • OAuth with Google, Microsoft, and Apple for staff.
  • Session tokens with short expiry; refresh via secure rotation.
  • Optional two-factor authentication for administrators.

Compliance and alignment

  • DPDP Act 2023: Aligned with Indian data-protection requirements — lawful basis, purpose limitation, data minimisation, user rights.
  • Children's data: Handled under institutional authorisation from the school and parental consent at enrolment.
  • Razorpay compliance: Payment card data never touches Inkwelly servers; handled entirely by Razorpay's PCI-DSS-compliant infrastructure.

Infrastructure

  • AWS ap-south-1 (Mumbai) for all production data.
  • PostgreSQL with Point-in-Time Recovery enabled.
  • Redis for session and caching, with Transparent Data Encryption.
  • S3 for media with access logging and lifecycle rules.
  • CloudFront CDN for static content delivery.

Operational security

  • Structured logging with correlation IDs for every request.
  • Audit trails for administrative actions (who changed what, when).
  • Automated security updates for the base OS and runtime.
  • Dependency vulnerability scanning on every build.
  • Manual penetration testing at least annually.

Your rights

As a school (controller) and as a parent / student / employee (data subject), you have the right to:

  • Access the personal data we process about you.
  • Correct inaccurate data.
  • Request deletion (subject to legal retention requirements and school policy).
  • Export your data in portable, machine-readable formats.
  • Withdraw consent where processing relies on consent.

Email hello@inkwelly.comwith the subject "Data Request" and we'll respond within 3-5 business days.

Incident response

If we detect a security incident, we will notify affected schools within 72 hours with: a summary of what happened, what data was affected, what actions we took, and what you should do. We believe in transparency over reputation management.

Questions or concerns

Security is not a set-and-forget topic. If you have a question, a concern, or you want to schedule a security review before signing a pilot agreement, email hello@inkwelly.com or WhatsApp +91 7000303658. We'll get on a call within 2 business hours.