Security

Last updated: March 31, 2026

Security is the foundation of everything we build at Scire. We protect student data, examination integrity, and institutional trust with enterprise-grade defenses, continuous monitoring, and a security-first engineering culture.

We handle sensitive educational data including biometric recordings, exam transcripts, and student performance metrics. Our infrastructure and processes are designed to meet or exceed the requirements of ISO 27001, SOC 2 Type II, and the Digital Personal Data Protection Act, 2023. For details on how we handle personal data, see our Privacy Policy.

Table of Contents

Infrastructure Security

Scire is hosted on Amazon Web Services (AWS) in the Mumbai region (ap-south-1), ensuring data sovereignty and low-latency access for Indian users.

  • Network Isolation. All compute resources operate within a Virtual Private Cloud (VPC) with strict ingress/egress controls. Databases and application servers run in private subnets, never directly exposed to the internet.
  • DDoS Protection. AWS Shield Standard for automatic mitigation, CloudFront CDN with edge-level threat blocking, and WAF rules on all public endpoints.
  • High Availability. Multi-AZ deployment for automatic failover, auto-scaling groups for traffic spikes during exam windows, and daily encrypted database snapshots replicated across availability zones.
  • Monitoring. 24/7 real-time infrastructure monitoring via AWS CloudWatch, centralized log aggregation, and automated alerting for anomalous patterns.

Data Encryption

We employ industry-leading encryption at every stage:

  • In Transit. All data transmitted between clients and servers is encrypted using TLS 1.3. We enforce HSTS headers and score an A+ on SSL Labs tests.
  • At Rest. All stored data — including exam recordings, transcripts, and PII — is encrypted using AES-256 with keys managed by AWS KMS, FIPS 140-2 compliant.
  • Database. MongoDB Atlas with encrypted storage engine and encrypted backups.
  • Media. Audio/video exam recordings encrypted in S3 with server-side encryption (SSE-KMS).
  • Secrets. Application secrets and API keys stored in AWS Secrets Manager, never committed to source code.
  • Passwords. Hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored.

Access Control

We operate on the principle of Least Privilege — every user and system component is granted only the minimum access necessary.

  • Employee Access. Only authorized engineering and support personnel access production environments, authenticated via SSO with mandatory MFA.
  • RBAC. Granular role-based access control across the platform — students, instructors, and admins have strictly scoped permissions.
  • VPN & Bastion. Direct SSH to production is prohibited. Administrative access is routed through VPN and bastion hosts with session recording.
  • Audit Logging. All access to personal data and admin actions are logged with immutable audit trails, retained for a minimum of 12 months.
  • Quarterly Reviews. All production access privileges are reviewed quarterly, revoking unnecessary permissions.

Application Security

Security is embedded into every stage of our Software Development Lifecycle:

  • Secure Coding. All engineers follow OWASP Top 10 guidelines and our internal secure coding standards.
  • Automated Scanning. SAST and DAST scans run in every CI/CD pipeline. Vulnerabilities block deployment.
  • Dependency Management. Automated scanning for known CVEs in third-party libraries via Dependabot and Snyk.
  • Code Review. Mandatory peer review for all changes. Security-sensitive changes require senior engineer approval.
  • Penetration Testing. Annual third-party penetration testing by independent security firms, with findings remediated within SLA timelines.

AI & Examination Security

Our examination system incorporates multiple layers of security to protect exam integrity:

  • Proctoring. Real-time computer vision detects gaze aversion, unauthorized persons, secondary devices, and environmental anomalies.
  • Anti-Tampering. Detection of virtual cameras, screen sharing tools, remote desktop software, and browser developer tools during active exams.
  • Question Isolation. Exam questions are generated dynamically and delivered in real-time, preventing pre-exam leaks.
  • Secure Transmission. Exam audio/video streamed over encrypted WebRTC connections.
  • AI Model Isolation. Models hosted on isolated infrastructure with minimized input/output logging to protect student privacy.

Compliance

We are committed to meeting the highest standards of regulatory compliance:

  • GDPR & DPDPA 2023 — Compliant.
  • IT Act, 2000 & SPDI Rules, 2011 — Compliant.
  • ISO 27001 — Certification in progress (target: Q4 2026).
  • SOC 2 Type II — Certification in progress (target: Q4 2026).
  • FERPA — Compatible for US-based institutions.

Certificates will be made available to institutional customers upon request once obtained.

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities from the security research community.

Scope: All Scire-owned domains, APIs, and applications. Third-party services and social engineering are out of scope.

Guidelines:

  • Do not publicly disclose the vulnerability before it has been fixed.
  • Do not access, modify, or delete data that does not belong to you.
  • Provide sufficient detail for us to reproduce and validate the issue.
  • Allow 90 days for remediation before public disclosure.

We acknowledge valid reports within 48 hours and provide a remediation timeline within 5 business days. Valid reports are eligible for our Security Hall of Fame and monetary rewards based on severity.

Report vulnerabilities to: security@mail.scire.in
PGP key available at scire.in/.well-known/security.txt

Incident Response

We maintain a comprehensive Incident Response Plan:

  • Detection. Automated monitoring detects anomalous activity in real-time.
  • Containment. Suspected incidents are contained within minutes through automated playbooks and manual escalation.
  • Notification. Affected individuals and regulatory authorities are notified within 72 hours of a confirmed breach, as required by the DPDPA and GDPR.
  • Post-Mortem. Blameless post-mortem analysis with documented findings used to improve defenses.
  • Communication. Status updates during active incidents published on our status page. Institutional customers receive direct communication.

Personnel Security

  • Background Checks. All employees with access to sensitive data undergo background verification prior to onboarding.
  • Training. Mandatory security awareness training during onboarding and quarterly refreshers.
  • NDAs. All employees sign confidentiality agreements extending beyond employment.
  • Offboarding. Access revoked within 4 hours of departure. Equipment securely wiped.

Contact Information

For security-related questions or to report a vulnerability:

Email: security@mail.scire.in · ciso@mail.scire.in
Address: Remote, India