Data security policy

Introduction

nexquare (“nexquare”), is committed to respecting its customers' online privacy and recognizes their need for appropriate protection and management of any personally identifiable information ("Personal Data") that may be shared.

Overview

This Data Security Policy (“Policy”) has been created to demonstrate our commitment to protecting information that we receive as a part of our software provision functions. Please review this Policy periodically as we may update it from time to time.

The terms of this Policy are to be read along with the Institution agreement and such other terms & conditions as may be specified by nexquare, from time to time. The governing law, jurisdiction and related matters with regards to this Policy shall be in accordance with the Institution agreement. This Policy has been created in compliance with applicable data protection laws including the EU Regulation 2016/679 or General Data Protection Regulation or GDPR, the UAE Data Protection Law (Federal Decree-Law No. 45/2021) and the Indian Digital Personal Data Protection Act, 2023 (“Applicable Laws”).

nexquare: Acts as a software provider and enables the Institution to conduct its operations using the nexquare platform (“nexquare Platform”). nexquare, in its role as a data processor, is responsible for safeguarding Personal Data by complying with requirements under the Applicable Laws and following commercially reasonable processes and practices.

Institution: Acts as the provider of educational services to the parent/student (“End User”), as per its terms and conditions. The Institution, in its role as a data controller, collects Personal Data from the End User/parent/student or data subject and is responsible for the handling of such Personal Data including elements such as defining what Personal Data to collect, how long to retain and how to handle deletion of the Personal Data when requested by the End User.

Why does nexquare collect Personal Information and how do we use it?

nexquare collects Personal Data from its clients i.e. schools and educational institutions (“Institution(s)”), for the purpose of enabling the Institution and the End User, to utilize and benefit from the operational and administrative services (“nexquare Services”) provided by the nexquare Platform, that they have consented to use.

The Personal Data collected in the nexquare Platform, is limited to data of End Users/parents and students that is required for the provision of nexquare Services and is shared/input into the nexquare Platform by the Institution or directly by the End User. Should the End User have any objection to sharing of Personal Data with nexquare, they can exercise their right to opt-out from accessing the nexquare Platform and receiving nexquare Services, by reaching out to the Institution directly. In case such a request is received by nexquare, it shall forward the same to the Institution who will need to take the decision and necessary action towards deleting any data records.

What Personal Data do we collect?

“Personal Data" means any non-public information that is shared by the Institution and may be used to identify an individual including, but not limited to, first and last names, phone numbers, email addresses or other details or information of the End User.

What measures do we undertake to secure Personal Data?

nexquare has set up and maintains a multi-tier system of data security as set out below, that enables protection against unauthorized access, unauthorized alteration, disclosure or destruction of Personal Data:

nexquare is hosted on a secure cloud environment on Microsoft Azure.

• The Azure infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure Azure data centers.
• Azure manages dozens of compliance programs in its infrastructure, ensuring local and regional data compliance.

Together with Azure, nexquare provides several security capabilities and services to increase privacy and control network access. These include:

• Azure firewall and security groups to protect the Virtual Network resources, with built-in high availability and unrestricted scalability
• Audit and activity logging enabled tracking all events.
• All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key.
• Data in transit is encrypted with SSL across all services.
• MFA for user access adds an extra layer of security, requiring users to provide two or more verification factors to access Azure resources.
• NSG Flow Logs to track network traffic and monitor any unauthorized or suspicious activity, aiding in security incident detection.
• Azure Identity and Access Management (IAM) to control and manage access to Azure resources, ensuring that users have appropriate permissions and role-based access.
• Backups are encrypted and password-protected, ensuring that data remains confidential and secure, even in backup storage. This additional layer of protection safeguards information from unauthorized access.

Additional server level security includes:

• UFW firewall is enabled and configured to filter out traffic and allow only necessary traffic. Nessus and docker image scans using Snyk are executed to identify security vulnerabilities and take necessary actions to rectify them.
• OpenVPN is used for tunneling and encryption to create a secure private network between hosts on the Internet or private insecure LAN. All applications are secured using SSL. SFTP is used for file transfer.
• Security and system updates are reviewed periodically.
• Fail2ban is used on virtual machines to identify and block brute force login attempts to services.
• OpenSSH: SSH access allowed from only trusted IP addresses/VPN. SSH server configuration is analyzed and secured. Key based authentication is used instead of SSH password-based login.
• All open ports are regularly monitored.

Additional application-level security includes:

• Access to services and applications are restricted to only IP’s/Regions where the services are applicable.
• OWASP Compliance standards are adhered to throughout the application to detect and arrest broken authentication and session management, sensitive data exposure, XML eternal entity, broken access control, cross site scripting, insecure deserialization among others.
• Spring Security in Application - Authentication and access control framework for Application. 

At the individual End User level, nexquare maintains the following security standards;

• Role based privilege allocation to provide access to relevant data only.
• OTP based authentication for End Users
• Password verification (expiry, account lock, account deactivation).
• Session timeout.

Notwithstanding the above, the Institution(s) and End Users are solely responsible for (a) maintaining the confidentiality and security of their access number(s),password(s), security question(s) and answer(s), account number(s), login information, and any other security or access information, used by them to access the nexquare Platform and related nexquare Services/products; and (b) preventing unauthorized access or use of the information, files or data that they store or use on/through the nexquare Platform.

Who do we share Personal Data with?

Like with most global SaaS solutions, in order to successfully deliver its services, nexquare also may work with other specialist technology solutions and service providers and may be required to share essential Personal Data with such third parties. nexquare will take reasonable steps to ensure that these third-party service providers are obligated to protect the Personal Data received.

Additionally, when the Institution signs up to receive the nexquare Services, it also has the option to avail certain optional services, some of which may involve services provided by external third party applications. The Institution provides consent to such services and the sharing of essential Personal Data as part of its agreement with nexquare.

It is against nexquare’s policy to rent or sell any Personal Data. Any use of Personal Data other than for the purposes of providing nexquare Services shall only be with the Institution/End User’s consent.

Where is the collected Personal Data stored?

Personal Data collected by nexquare is securely stored on Microsoft Azure servers. The transfer of

such data and storage thereof is in compliance with Applicable Laws.

About Cookies and Other Tracking Technologies

At nexquare, we use cookies only for the protection and convenience of our customers. Cookies enable us to serve secure pages to our End Users without asking them to sign in repeatedly. If an End User's system is idle for more than an hour, however, the cookie will expire, forcing the End User to sign in again to continue their session.

This prevents unauthorized access to the End User's information while they are away from their computer or personal device. The End User may have the ability to reset their browser to refuse all cookies or to indicate when a cookie is being sent; however, some of the nexquare Platform features or services may not function properly without cookies. Tracking technologies may record information such as internet domain and host names; Internet protocol (IP) addresses; and operating system types; clickstream patterns; and dates and times that the nexquare Platform is accessed.

Our use of cookies and other tracking technologies allows us to improve the nexquare Platform. We may also analyze information that does not contain Personal Data for trends and statistics.

End User Consent

By using the nexquare Platform, the End User consents to the terms of our Data Security and Privacy Policy and to nexquare’s processing of Personal Data for the purposes given above.

Changes to this Policy

nexquare reserves the right to update, change or modify this Policy at any time at its sole discretion and without any obligation to inform the Institution and/ or End Users of the said changes. The revised/ amended Policy shall come to effect from the date of such update, change or modification.