Security

We take the trust universities and their students place in us seriously. This page explains how we protect the data in our platform — plainly, without jargon.

Our commitments at a glance

  • SOC 2 Type II certified: Independently audited controls across security, availability, and confidentiality
  • GDPR compliant: We meet EU data protection standards and are committed to the rights of your users
  • Hosted on AWS: Built on Amazon Web Services, one of the world's most trusted cloud platforms
  • Encrypted everywhere: All data is encrypted in transit (TLS) and at rest (AES-256)

For details on what data we collect and how it's used, see our Privacy Policy and Cookies Policy.

Infrastructure & hosting

Our platform runs entirely on Amazon Web Services (AWS), in data centres that maintain their own comprehensive physical and environmental security programmes. We use AWS services that are themselves SOC 2 and ISO 27001 certified.

Data is stored primarily in AWS US-East 1 (N. Virginia). An encrypted backup is automatically maintained in AWS US-West 1 (N. California) for disaster recovery purposes. Data does not leave these two US regions without explicit agreement.

How we protect your data

  • Authentication & two-factor security: We encourage strong passwords for all users and support two-factor authentication (2FA) via email or an authenticator app (TOTP). Admins at the organisation, faculty, and department level can enforce 2FA across their group, so your institution can set the standard that works for it.
  • Encryption: All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256.
  • Access controls: Our team follows a strict least-privilege model. Employees only have access to the systems and data they need to do their job. Access is reviewed at least every 6-months and revoked promptly when roles change.
  • Penetration testing: We conduct regular third-party penetration tests to identify and remediate vulnerabilities before they can be exploited. Findings are tracked and resolved on a defined timeline.
  • Employee training: Every team member completes security awareness training. Our engineering team receives additional training on secure development practices.

Vulnerability disclosure

Found something? We want to hear about it. If you've discovered a potential security issue in our platform, please reach out to us at support@alldayta.com. We'll acknowledge your report within 48 hours and keep you updated as we investigate. We ask that you give us a reasonable time to address issues before any public disclosure.

Compliance

  • SOC 2 Type II: Our controls are audited annually by an independent third party. Customers and prospects can request a copy of our report under NDA.
  • GDPR: We act as a data processor for our customers and support your obligations as data controllers. We have a Data Processing Agreement (DPA) available on request. We do not transfer personal data outside of the regions agreed in your contract without appropriate safeguards.

If you have specific compliance requirements or are completing a vendor security questionnaire, our team is happy to help. You can review additional information about our policies and see a list of our subprocessors on our Trust Center or reach out to our team with specific questions at support@alldayta.com.

Questions?

We're always happy to talk through our security posture with your IT or procurement team. Email us at support@alldayta.com with your questions.