Legal

Security

Last updated: June 14, 2026

Encrypted everywhere

TLS in transit, encryption at rest for your database.

Role-based access

Staff see only what you give them access to.

Tenant isolation

Your institute's data is walled off from every other institute.

Official WhatsApp API

No third-party message brokers — ever.

Audit trail

Sensitive actions are logged for your review.

You own your data

Export anytime. Deleted permanently on request.

Contents

1. Overview
2. Infrastructure & hosting
3. Encryption
4. Account security
5. Role-based access control
6. Multi-tenant data isolation
7. Audit logging
8. WhatsApp integration
9. Backups & data retention
10. Reporting a vulnerability
11. Compliance
12. Contact us

1. Overview

Security isn't a feature we bolted on — it's part of how CoachOS is built. This page explains, in plain language, how we protect the data your institute trusts us with.

2. Infrastructure & hosting

CoachOS runs on Vercel for application hosting and a managed Postgres database via Supabase. Both providers run in audited data centres with their own security and compliance programmes, and all traffic between your browser and our servers is served over HTTPS.

3. Encryption

All data in transit is encrypted using TLS. All data at rest in our database — student records, attendance, fee history, messages — is encrypted by our database provider. Passwords are never stored in plain text; they're hashed using a strong, industry-standard algorithm before being saved.

4. Account security

You can sign in with an email and password (hashed, never stored in plain text) or with Google sign-in. Password reset links are single-use and expire after a short window. We log sign-in activity, including last login time, so you can spot anything unusual.

5. Role-based access control

Every staff member is assigned a role, and the institute owner controls exactly which modules — students, attendance, fees, tests, settings, and more — each role can view or edit. Staff only ever see the data and actions they've been explicitly granted.

6. Multi-tenant data isolation

CoachOS is multi-tenant: every institute's data lives in the same database but is strictly scoped to that institute's account at the application level. There is no shared visibility between institutes — your students, fees, and messages are never visible to any other CoachOS customer.

7. Audit logging

Sensitive actions — fee record changes, permission updates, student record edits — are recorded in an audit log, giving institute owners visibility into who did what and when within their account.

8. WhatsApp integration

Parent communication runs on the official WhatsApp Business API (via Meta), not a third-party WhatsApp automation tool. Messages are only sent when triggered by an action you take in the dashboard — attendance marking, fee collection, results publishing, or a manual broadcast.

9. Backups & data retention

Our database provider performs regular automated backups so your data can be restored in the event of an incident. If you cancel your subscription, your data is retained for 90 days (during which you can export everything as Excel) and then permanently deleted from our systems.

10. Reporting a vulnerability

If you believe you've found a security issue in CoachOS, email hello@coachos.in with "Security" in the subject line and as much detail as you can share. We'll acknowledge your report within 2 business days. Please give us a reasonable window to investigate and fix the issue before disclosing it publicly.

11. Compliance

We're GDPR-aware in how we handle data for users in the European Economic Area, and we operate in line with applicable provisions of India's Information Technology Act, 2000. For more on data handling, see our Privacy Policy.

12. Contact us

Questions about our security practices? Email hello@coachos.in with "Security" in the subject line.

Found a security issue, or have a question? Email hello@coachos.in with "Security" in the subject line.