Security at iTutor
Schools, universities, and L&D teams trust iTutor with student and employee learning data. Below is how we protect that data — written for procurement teams, IT admins, and parents who want concrete answers, not marketing language.
Data encryption
All traffic between your browser, the iTutor application, and our backend is encrypted in transit using TLS 1.3. Data at rest — including uploaded study materials, account profiles, and progress records — is encrypted with industry-standard symmetric encryption on the storage layer.
Authentication credentials are never stored in plain text; passwords are hashed with a modern memory-hard algorithm with per-user salts.
Access control
Application access is governed by role-based access control. On individual accounts, only the account owner can read their own data. On institutional accounts, administrators define teacher and student roles, and visibility is scoped to the assigned class, course, or cohort. Cross-tenant data access is prevented at the query layer — no query path can return data from a tenant the requester does not belong to.
iTutor staff access to production data is restricted, logged, and granted only when required to investigate a support ticket or diagnose an incident. Staff actions on user data are auditable.
Authentication options
Individual accounts use email-and-password authentication, with optional sign-in via Google or Apple ID. Institutional accounts can require Single Sign-On (SAML 2.0, OIDC, or LTI 1.3) so the institution remains the source of truth for identity. Two-factor authentication is available on all account tiers.
Backups and recovery
Production databases are backed up daily with point-in-time recovery for a defined retention window. Backups are encrypted at rest and stored in a separate geography from the primary system. Recovery procedures are tested on a regular schedule.
Monitoring and incident response
Application and infrastructure logs are aggregated for security monitoring. We have an internal incident-response process covering detection, containment, eradication, recovery, and post-incident review. Material incidents affecting customer data are communicated to affected customers without undue delay, in line with regulatory requirements.
Penetration testing
iTutor undergoes annual third-party penetration testing covering the web application, the API surface, and the authentication system. Findings are tracked through to remediation. Summary reports are available to institutional customers under NDA on request.
Compliance posture
iTutor is built with privacy-by-design principles aligned with the EU General Data Protection Regulation (GDPR). For institutional customers, we offer Data Processing Agreements that articulate the controller / processor relationship, sub-processor lists, data residency options where applicable, and data-subject-request workflows.
For school deployments, we follow education-sector privacy expectations: data minimization, no behavioral advertising profiling of students, and strict scoping of any analytics to the educational use case.
Vulnerability disclosure
If you have discovered a security issue in iTutor, we want to hear from you. Please email us at the address below with steps to reproduce, the impact, and any proof-of-concept material. We commit to acknowledging your report within 5 business days, providing a status update within 14 days, and coordinating responsible disclosure timing with you.