Security

Schools and campuses trust Nexxora with sensitive records — enrollment data, grades, financial information, clinical placements, and communications. We design our architecture, processes, and vendor relationships to meet the expectations of educational institutions and applicable regulations.

Nexxora runs on modern cloud infrastructure with geographically distributed data centers, redundant networking, and automated scaling. Production environments are separated from development and staging systems. Infrastructure providers are selected for reliability and industry-standard security certifications.

• In transit — all connections to Nexxora use TLS (HTTPS) to encrypt data between browsers, mobile clients, and our servers.
• At rest — databases and object storage encrypt Customer data using industry-standard algorithms managed by our cloud providers, with keys protected in secure key management systems.
• Backups — backup snapshots are encrypted and access is restricted to authorized operations personnel.

Each school or campus operates in a logically isolated tenant. Customer data is scoped by tenant identifiers at the application and database layers so one institution cannot access another's records. Role-based access control (RBAC) further limits what administrators, faculty, staff, and students can view or change within a tenant.

• Unique credentials for each authorized user, with password policies configurable by administrators.
• Session management with automatic timeout and secure cookie handling.
• Granular permissions aligned to campus roles — e.g., registrar, instructor, billing, student self-service.
• Audit logging of significant actions for accountability and compliance reviews.

We recommend that institutions enforce strong passwords, promptly revoke access for departing employees, and limit administrative privileges to those who need them.

Our engineering team follows secure development practices, including code review, dependency monitoring, and regular patching of the application stack. We test for common vulnerabilities and apply defense-in-depth controls such as input validation, CSRF protection, and rate limiting on authentication endpoints.

Nexxora is built for institutions subject to FERPA and, where relevant, HIPAA and Title IV requirements. Customers remain the data controller for student education records; we act as a service provider processing data on their instructions, as described in our Privacy Policy.

We support institutional compliance through access controls, audit trails, document retention tools, and export capabilities. Formal compliance documentation and data processing agreements are available to Customers during onboarding.

We monitor platform health, error rates, and security signals around the clock. Alerts are routed to our operations team for investigation. If we identify an incident that affects Customer data, we will notify affected institutions without undue delay and cooperate on remediation in line with contractual obligations and applicable law.

Automated backups and disaster-recovery procedures are in place to restore service after hardware failures or regional outages. Recovery time and recovery point objectives are defined internally and reviewed periodically. Service availability updates are posted on our Status page.

We use carefully vetted subprocessors for hosting, email, SMS, payment processing, and observability. Each vendor is evaluated for security posture and bound by contractual data protection terms. A list of subprocessors is available to Customers upon request.

Access to production systems by Nexxora AI Technology personnel is granted on a least-privilege basis, requires multi-factor authentication where supported, and is logged. Employees receive security awareness training and are subject to confidentiality obligations.

If you believe you have discovered a vulnerability in Nexxora, please report it responsibly to support@nexxoracloud.ai with sufficient detail for us to reproduce the issue. Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.

For general security questions from existing Customers, contact your account administrator or reach out through our contact page.