Security & Infrastructure

• We're built on AWS. Your data is stored in AWS data centers with enterprise-grade security. We use PostgreSQL for your contacts and institutions, DynamoDB for customer data, and S3 for files - all encrypted at rest and in transit. Multi-availability zone deployment ensures high availability and automatic failover.
• We keep it simple and honest. We collect only what we need (email, name, company), we don't sell your data, and you can delete it anytime. We have a 99.5% uptime SLA, daily backups, and 5-minute health checks on our APIs. Monitor our real-time service status at status.getedulead.com. Customer notification within 72 hours for any security incidents.
• We're focused on building secure, reliable software. We follow AWS best practices, keep everything updated, and are always transparent about our security posture. All access requires authentication, APIs are rate-limited, and we maintain comprehensive audit logs.
• Your data stays yours. Complete data isolation between teams, RESTful API for data access, ability to export or delete your data at any time. No data leaves the United States, and we never use your data for anything other than providing our service.
• We work with trusted partners. AWS for infrastructure (SOC 2, ISO 27001), Stripe for payments (PCI DSS Level 1), OpenAI for AI processing (SOC 2 Type 2). Optional integrations with HubSpot and your own webhooks are available when you need them.

Edulead is committed to maintaining the highest standards of security and data protection for our educational technology platform. This document outlines our security practices, infrastructure architecture, and compliance measures to ensure the confidentiality, integrity, and availability of customer data.

Our Security Philosophy: We believe in defense in depth, transparency, and continuous improvement. Every architectural decision prioritizes security without compromising functionality. We leverage AWS's enterprise-grade infrastructure while maintaining our own robust security practices at the application level.

Key Security Features:

• End-to-end encryption for all data in transit and at rest
• Multi-tenancy architecture with complete data isolation between teams
• Automated security monitoring with real-time threat detection
• Regular security updates and dependency management
• Comprehensive audit logging and activity tracking
• 4-hour Recovery Time Objective (RTO) for disaster recovery

Compliance & Certifications: While Edulead leverages AWS infrastructure that maintains SOC 2 Type II, ISO 27001, and other certifications, we also implement our own security controls aligned with GDPR requirements and CCPA standards. We continuously evaluate and improve our security posture based on industry best practices and customer feedback.

This Document: Provides a comprehensive overview of our security architecture, practices, and policies. It's designed for security teams, compliance officers, and technical stakeholders who need to understand how Edulead protects customer data. We update this document regularly to reflect our evolving security landscape.

2.1. Cloud Infrastructure

Edulead is built on Amazon Web Services (AWS), leveraging enterprise-grade cloud infrastructure with the following key components:

• Primary Region: AWS us-east-1 with multi-availability zone deployment
• Core Services:
  • AWS Amplify for frontend hosting and deployment
  • AWS API Gateway for API management
  • AWS CloudFront for content delivery
  • AWS CloudWatch for monitoring
  • AWS CodeBuild for automated build and deployment pipelines
  • AWS Cognito for authentication
  • AWS DynamoDB for customer high-velocity data
  • AWS ECR (Elastic Container Registry) for container image management
  • AWS ECS for containerized services and workers
  • AWS Elasticsearch for contact and institution search
  • AWS Lambda for serverless compute
  • AWS RDS (PostgreSQL) for contacts and institutions database
  • AWS Route 53 for DNS management and global traffic routing
  • AWS S3 for file storage
  • AWS SES (Simple Email Service) for transactional email delivery
  • AWS Step Functions for workflow orchestration

2.2. Network Architecture

• DNS Management:
  • AWS Route 53 hosts authoritative nameservers for domain resolution
  • Low-latency DNS resolution with global anycast network
• Content Delivery:
  • CloudFront edge locations for global content distribution
  • Origin shield for reduced backend load
  • Custom SSL certificates for all domains

2.3. Application Architecture

• API Layer:
  • RESTful APIs built with Node.js and Nest.js
  • TypeScript for type safety and code maintainability
  • OpenAPI documentation for all endpoints
  • Stateless architecture for horizontal scalability
• Frontend Application:
  • React single-page application with TypeScript
  • Deployed via AWS Amplify with global CDN distribution
  • Responsive design for desktop and mobile access
• Data Architecture:
  • PostgreSQL with Prisma ORM for primary storage of contacts and institutions
  • Elasticsearch for full-text search and analytics
  • DynamoDB for high-throughput operational and customer data
• Asynchronous Processing:
  • AWS Step Functions for complex multi-step workflows requiring state preservation
  • AWS ECS for containerized background processing
  • AWS Lambda for real-time event processing and webhooks
• Performance & Reliability:
  • Lambda Provisioned Concurrency for consistent sub-second API response times
  • CloudFront edge caching for static assets and API responses
  • Database connection pooling via Prisma ORM
  • Query optimization and database indexing
• Authentication & Authorization:
  • JWT-based authentication with AWS Cognito
  • Team-based multi-tenancy where each team can only access their own data
  • API key authentication for programmatic access
  • Session management with automatic token refresh
• API Security:
  • TLS 1.2+ required for all connections
  • Rate limiting per API key and IP address
  • Request validation and sanitization
  • CORS policies for browser security

3.1. Customer Data Collected

We collect minimal customer information necessary for account management:

• Email Address: For authentication and communication
• First Name & Last Name: For account identification
• Company Name: For team/organization association

3.2. Data Protection

• Encryption at Rest: All data encrypted using AES-256 encryption
• Encryption in Transit: TLS 1.2+ for all data transmission
• Database Security:
  • Encrypted RDS instances with automated backups
  • DynamoDB encryption at rest enabled
  • Elasticsearch domains with encryption enabled
• File Storage: S3 with server-side encryption and access controls

3.3. Access Controls

• Authentication: Secure login with optional multi-factor authentication
• Authorization: APIs authorized at team and user level
• API Security: Token-based authentication with expiration
• Admin Access: Separate administrative access with audit logging

3.4. Data Location & Residency

• All customer data is stored in AWS data centers located in the United States
• Data backups are maintained within the same geographic region
• No customer data is transferred outside the United States

4.1. Security Standards

• OWASP Top 10: Application security follows OWASP guidelines
• SOC 2: AWS infrastructure is SOC 2 Type II certified
• ISO 27001: AWS infrastructure maintains ISO 27001 certification
• GDPR Ready: Privacy controls and data subject rights supported
• CCPA Compliant: California privacy law requirements met

4.2. Data Privacy

• Data Minimization: We only collect data necessary for service operation
• Purpose Limitation: Data is used only for stated purposes
• Data Retention: Defined retention policies for different data types
• Right to Deletion: Complete data deletion available upon request

5.1. Infrastructure Provider

Amazon Web Services (AWS)

• Purpose: Cloud infrastructure and hosting
• Data Location: United States
• Compliance: SOC 2, ISO 27001, GDPR, HIPAA
• Security Information: aws.amazon.com/security

5.2. Payment Processing

Stripe (for billing customers only)

• Purpose: Payment processing
• Data Handled: Payment information only
• Compliance: PCI DSS Level 1
• Security Information: stripe.com/security

5.3. AI Processing

OpenAI

• Purpose: AI-powered signal classification and content analysis
• Data Handled: Web content and business signals for analysis
• Compliance: SOC 2 Type 2
• Security Information: openai.com/security

5.4. Optional Integrations

HubSpot (when enabled by customer)

• Purpose: CRM integration
• Data Handled: Contact information
• Compliance: GDPR, SOC 2
• Security Information: hubspot.com/security

Customer Webhooks (when configured)

• Purpose: Real-time data synchronization with customer systems
• Data Handled: Configurable event data based on customer preferences
• Security: HTTPS-only with authentication tokens

6.1. Continuous Monitoring

• Real-time Monitoring: 24/7 system health monitoring - track our service status at status.getedulead.com
• Security Logging: Comprehensive audit logs with retention
• Threat Detection: Automated security alerts and anomaly detection
• Performance Monitoring: Proactive issue identification

6.2. Incident Response

• Response Procedure: Documented incident response plan
• Notification Timeline: Customer notification within 72 hours of confirmed breach
• Investigation: Root cause analysis for all security incidents
• Remediation: Prompt patching and security updates

7.1. Backup & Recovery

• Database Backups: Automated daily backups of PostgreSQL and DynamoDB with 30-day retention
• Point-in-Time Recovery: Database restoration to any point within retention period
• File Backups: Redundant storage with versioning
• Disaster Recovery: Tested recovery procedures with 4-hour RTO

7.2. Availability

• Uptime Target: 99.5% availability SLA (getedulead.com/sla)
• Redundancy: Multi-availability zone deployment
• Auto-scaling: Automatic capacity adjustment
• DDoS Protection: AWS Shield Standard protection

8.1. Secure Development Lifecycle

• Version Control: Git-based source code management
• CI/CD Pipeline:
  • AWS Amplify native pipeline for frontend deployments
  • AWS CodeBuild for automated builds and testing
  • AWS ECR for secure container image storage with vulnerability scanning
  • Automated deployment to ECS clusters
• Dependency Management: Regular updates to dependencies
• Environment Isolation: Isolated development, staging, and production environments
• API Monitoring: 5-minute automated canary tests for API availability

8.2. Employee Access

• Principle of Least Privilege: Minimal access rights
• Multi-Factor Authentication: Required for all administrative access
• Access Management: Access granted on as-needed basis

9.1. Data Access & Portability

• API Access: RESTful API for programmatic data access
• Data Deletion: Ability to delete data upon request
• Account Closure: Complete data removal when closing account

9.2. Privacy Controls

• User Management: Customer-controlled user access
• Permission Management: Granular permission controls
• Data Segregation: Complete tenant isolation
• Compliance Tools: GDPR/CCPA compliance features

10.1. Security Practices

• API Health Checks: Continuous 5-minute canary tests
• Security Updates: Prompt patching when vulnerabilities are identified
• Monitoring: Ongoing monitoring of system security

10.2. Continuous Improvement

• Security Updates: Regular patching schedule
• Feature Reviews: Security assessment for new features
• Risk Management: Ongoing risk assessment and mitigation
• Customer Feedback: Security enhancement requests welcomed

11.1. Security Team

• General Security Inquiries: support@getedulead.com
• Security Incident Reporting: support@getedulead.com
• Privacy Inquiries: support@getedulead.com
• Response Time: Within 24 hours for security-related inquiries

11.2. Additional Resources

• Status Page: status.edulead.com
• Privacy Policy: Available at edulead.com/privacy
• Terms of Service: Available at edulead.com/terms