Home/
Legal

Security Policy

Last Updated: January 2, 2026

1. Introduction

PT. Pintar Manajemen Sekolah ('Cekolah') is committed to protecting our users' data and privacy with the highest security standards. This Security Policy explains how we protect our systems and your data from cyber threats.

Our policy aligns with international standards such as ISO 27001 (Information Security Management System) and complies with Indonesian cybersecurity regulations.

2. Security Principles

  • Confidentiality: Only authorized parties can access intended data
  • Integrity: Data cannot be modified or deleted without authorization
  • Availability: Data and systems are accessible when needed
  • Accountability: Every activity is logged and traceable
  • Principle of Least Privilege: Users have only the minimum access necessary for their tasks

3. Data Encryption

3.1 Encryption In Transit

All data transferred between user devices and Cekolah servers is encrypted using:

  • TLS 1.3 (Transport Layer Security) - Latest encryption standard for secure communication
  • AES-256-GCM - Strong symmetric encryption algorithm
  • Perfect Forward Secrecy (PFS) - Prevents key decryption if server key is ever compromised

Our SSL/TLS certificates are issued by trusted Certificate Authorities (CA) and renewed regularly.

3.2 Encryption At Rest

Data stored in our databases and storage is encrypted using:

  • AES-256 - Industry standard for data storage encryption
  • Key Management Service (KMS) - Centralized and secure encryption key management
  • Database-level encryption - Database-level encryption for additional security layer

3.3 Password Encryption

User passwords are never stored in plaintext or reversible encryption form:

  • Argon2id - Modern hashing function with argon2 resistant to GPU/FPGA attacks
  • Scrypt/PBKDF2 - Industry-recognized alternative hashing functions
  • Salting - Each password uses unique salt to prevent rainbow table attacks
  • High iteration count - High iteration count to slow down brute force attacks

4. Access Control

4.1 User Authentication

We implement strong authentication to secure user accounts:

  • Multi-Factor Authentication (MFA): Mandatory for admin access and recommended for all users
  • Session Management: Automatic session expiration after inactive period (30 minutes default)
  • Secure Password Policy: Minimum 8 characters with letter, number, and symbol combination
  • Account Lockout: Temporary lock after multiple failed attempts to prevent brute force
  • Social Login: Integration with Google, Facebook, etc. using secure OAuth 2.0

4.2 Role-Based Access Control (RBAC)

Our system implements RBAC to control access based on roles and resources:

  • Role Hierarchy: owner (100) > principal (90) > admin (80) > teacher (50) > staff (30) > parent (10) > student (10) > member (5)
  • Resource-Level Permission: Each resource (student, class, finance, etc.) has separate access control
  • Custom Roles: Schools can create custom roles up to 10 per organization
  • Audit Trail: All access activities are logged for audit

4.3 Employee Access

Cekolah employee access to production systems is strictly controlled:

  • Access only based on job requirement (principle of least privilege)
  • Multi-factor authentication mandatory for employee access
  • Encrypted VPN required for remote access
  • Employee sessions automatically expire after 1 hour of inactivity
  • All employee activities are logged and audited regularly

5. Multi-Tenant Security

Cekolah's multi-tenant architecture ensures strict data isolation between schools:

  • Logical Data Isolation: Each school has logically isolated data with unique identifier
  • Tenant Context Enforcement: Each request contains validated tenant identifier
  • Cross-Tenant Protection: Mechanisms to prevent accidental or intentional cross-tenant access
  • Separate Database Schema: Use of schema or row-level security for isolation
  • Tenant-Level Backup: Backup and recovery can be performed per school

6. Network Security

We implement multiple layers of network security:

  • Web Application Firewall (WAF): Filters and blocks malicious requests before reaching servers
  • DDoS Protection: Distributed denial-of-service attack mitigation system
  • Rate Limiting: Limiting number of requests per IP/User to prevent abuse
  • IP Whitelisting/Blacklisting: Controlling access based on IP address
  • Secure DNS: Using DNSSEC to prevent DNS spoofing attacks
  • Network Segmentation: Separating networks for better security

7. Application Security

  • Input Validation: All inputs are validated and sanitized to prevent injection attacks (SQLi, XSS, etc.)
  • Output Encoding: Encoding output to prevent cross-site scripting (XSS)
  • CSRF Protection: Anti-CSRF tokens for every state-changing request
  • Content Security Policy (CSP): CSP header to control which content sources can be loaded
  • HTTP Strict Transport Security (HSTS): Forcing HTTPS connection for all communication
  • Secure Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, etc.
  • Dependency Management: Regular updates to patch vulnerabilities in third-party libraries

8. Monitoring and Auditing

We monitor systems 24/7 to detect and respond to security incidents:

  • Real-time Monitoring: Real-time monitoring of system activities, error logs, and anomalies
  • Security Information and Event Management (SIEM): Centralized system to collect and analyze security logs
  • Intrusion Detection System (IDS): Automatic detection of intrusion attempts
  • Audit Logs: Logging of user activities, system events, and configuration changes
  • Log Retention: Storing security logs for minimum 90 days for investigation
  • Regular Security Audits: Regular security audits by internal team and third parties
  • Penetration Testing: Regular penetration testing to identify vulnerabilities

9. Data Backup and Recovery

We implement comprehensive backup strategy to protect against data loss:

  • Automated Backups: Automated daily, weekly, and monthly backups
  • Geographic Redundancy: Backups stored in different geographic locations for disaster recovery
  • Encrypted Backups: All backups encrypted using same standards as production data
  • Immutable Backups: Backups cannot be modified to prevent ransomware attacking backups
  • Restore Testing: Periodic restore testing to verify backup integrity
  • Point-in-Time Recovery: Ability to restore to specific point in time

10. Incident Response

We have structured incident response procedures to handle security incidents:

10.1 Incident Response Team

  • Security Analyst - Detect and analyze incidents
  • Security Engineer - Isolate and remediate incidents
  • Legal Counsel - Provide compliance and legal guidance
  • Communications - Handle external communications

10.2 Incident Response Process

  1. Detection and Analysis - Identifying incident, determining scope and impact
  2. Containment - Isolating affected systems to prevent spread
  3. Eradication - Removing threat and analyzing root cause
  4. Recovery - Restoring systems and data from clean backups
  5. Post-Incident Activity - Reviewing and improving procedures, documenting lessons learned

10.3 Incident Notification

In case of security incident affecting personal data:

  • Notifying affected users within 24-72 hours
  • Reporting to Kominfo and relevant authorities within 3x24 hours
  • Providing dedicated communication channel for incident
  • Transparent about what happened and steps taken

11. Third-Party Security

We evaluate security of third-party service providers before integration:

  • Security Assessment: Evaluation of security standards and certifications (ISO 27001, SOC 2, etc.)
  • Data Processing Agreements: Legally binding data processing agreements
  • Regular Audits: Periodic audits of third-party security practices
  • Data Flow Control: Monitoring and controlling data flow to and from third parties

12. User Security Responsibilities

To maintain account and data security, users are expected to:

  • Use strong and unique passwords for Cekolah
  • Enable multi-factor authentication (MFA)
  • Not share account credentials with others
  • Log out after finishing platform use
  • Avoid accessing platform on public computers or untrusted devices
  • Keep devices and software updated
  • Report suspicious activities immediately to Cekolah support
  • Maintain confidentiality of student data under your access

13. Compliance

Cekolah is committed to compliance with security regulations and standards:

  • UU PDP No. 27 of 2022: Indonesian Personal Data Protection
  • UU ITE No. 11 of 2008: Electronic Information and Transactions
  • PSE Regulation (Kominfo): Electronic System Provider
  • ISO 27001: Information Security Management (in certification process)
  • OWASP Top 10: Prevention of most critical web application vulnerabilities

14. Vulnerability Disclosure

We appreciate help from the security community. If you find a vulnerability in Cekolah:

  • Report via email: security@cekolah.com
  • Provide technical details to help us reproduce and fix the issue
  • Do not exploit the vulnerability or access other users' data
  • We will respond within 48 hours and provide progress updates

Responsible security researchers will be acknowledged in our hall of fame page.

15. Contact Us

For questions or concerns related to security:

Security Email: security@cekolah.com

General Email: malikcekolah@gmail.com

Phone: 0858-0900-0988

For urgent security incidents, call phone for quick response.

We regularly review and update this Security Policy to reflect best practices and regulatory changes.