The security practices Kikavu Tech Solutions applies to protect client data, systems, and infrastructure.
This Information Security Policy summarises the security practices Kikavu Tech Solutions applies to protect client data, systems, and infrastructure, aligned with internationally recognised practices consistent with ISO/IEC 27001 principles.
Access to production systems, client data, and hosting infrastructure is granted on a least-privilege, role-based basis, with multi-factor authentication required for administrative access.
We use firewalls, network segmentation, and reputable cloud/hosting providers with their own physical and infrastructure security controls to protect hosted systems.
Software is developed following secure coding practices, with code review, dependency/vulnerability monitoring, and regular patching of frameworks and libraries.
Data in transit is protected using TLS/SSL encryption. Sensitive data at rest, including passwords, is stored using industry-standard hashing and encryption techniques.
GPS tracking devices and data transmission channels are secured through authenticated device connections and encrypted data transmission to our platform.
Student, staff, and parent records within School Management Systems are access-restricted to authorised school accounts and protected using the same security controls applied across our hosted platforms.
Data submitted to AI-enabled features is transmitted securely and processed under confidentiality terms with AI infrastructure providers; we do not permit client data to be used to train public third-party models without explicit consent.
We perform regular backups of hosted client data and maintain disaster recovery procedures designed to restore critical services in the event of a major incident.
We maintain an incident response process to detect, contain, investigate, and remediate security incidents, including notification to affected clients in accordance with our Data Processing Agreement.
Staff and contractors with access to client data are bound by confidentiality obligations and receive periodic security awareness guidance.
Third-party providers (hosting, payment, AI, communications) are selected with reasonable diligence regarding their security practices and are bound by contractual confidentiality and data protection obligations.
This Policy and our underlying controls are reviewed periodically and updated to reflect emerging threats, technology changes, and regulatory developments.