Last updated: May 2026
At HBA Compass, protecting the data of students, teachers, and families is our highest priority. We apply industry-standard security practices across every layer of our infrastructure.
We continuously review and improve our security posture. This document outlines the technical and organisational measures we have in place to keep your data safe.
All data stored in HBA Compass is encrypted at rest using AES-256 encryption. This means even in the unlikely event of a storage breach, your data remains unreadable without the decryption key.
All data in transit between your browser and our servers is protected using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not allow unencrypted connections.
HBA Compass uses role-based access control (RBAC) to ensure each user can only see and interact with data relevant to their role. School admins, teachers, parents, and students each have strictly scoped permissions.
Administrative access to production systems is restricted to a small number of authorised engineers. All internal access is logged and reviewed regularly. Two-factor authentication (2FA) is available for all accounts.
Your school's data is backed up automatically every day. Backups are stored in a separate geographic region from the primary database to ensure resilience against localised outages.
We retain daily backups for 30 days, giving us the ability to restore your data to any point within the last month in the event of accidental deletion or corruption.
In the event of a confirmed data breach, we will notify affected schools within 72 hours of becoming aware of the incident, in accordance with applicable data protection regulations.
Our incident response plan includes immediate containment, root-cause analysis, and remediation. We will provide clear communication throughout the process and document lessons learned.
HBA Compass is designed to align with India's Personal Data Protection Bill (PDPB) principles, including data minimisation, purpose limitation, and user consent.
We do not sell or share student or teacher data with third parties for advertising or commercial profiling purposes. Data shared with third-party services (such as payment processors) is strictly limited to what is necessary for that service.
If you discover a potential security vulnerability in HBA Compass, please report it responsibly to support@thehbacompany.com. We take all reports seriously and will respond within 24 hours.
For general security questions or concerns about how your school's data is handled, you can also reach us at support@thehbacompany.com.
Found a vulnerability or have a security concern? support@thehbacompany.com