Lectern
Get Started
Security

Trust, written down

Schools trust us with sensitive data - learners, families, finances, grades. Here’s how we protect it, plainly listed and verifiable.

Report a vulnerabilityLive status
What we do

Six things, taken seriously

Encrypted, end to end

Data in transit uses TLS 1.3. Data at rest uses AES-256, with keys managed by AWS KMS. Backups are encrypted with separate keys.

POPIA-aligned

Data ownership, audit trails, consent flows, and retention controls all built around the Protection of Personal Information Act.

Audit log on everything

Every state-changing action - sign-in, record edit, role change, fee reconciliation - is logged with actor, IP, and timestamp.

Daily backups, 35-day retention

Automated daily backups encrypted and stored in our Cape Town region. Point-in-time recovery for the last 35 days.

SSO + 2FA, included

Google Workspace and Microsoft 365 SSO on every plan from Starter up. Two-factor authentication available for everyone, enforceable for admins.

Role-based access

Seven built-in roles plus custom permission sets. Least-privilege by default; the audit log catches anything else.

Data residency

Hosted in Cape Town

Customer data lives in AWS’s Cape Town region (af-south-1). Backups are encrypted and stored in the same region. We don’t replicate customer data outside South Africa without your explicit instruction.

  • Primary database in af-south-1 (Cape Town)
  • Encrypted backups in af-south-1
  • 35-day point-in-time recovery window
  • Tenant-level data export available on request
Region
AWS Cape Town
af-south-1
Latency to SA
< 50ms
Backup retention
35 days
Responsible disclosure

Found something? Tell us first.

We’d rather hear about a vulnerability from a researcher than read about it in the news. Email security@lectern.school with details - we acknowledge within one school day.

01

Acknowledge

Within one school day. We confirm receipt and assign a tracking ID.

02

Investigate

We assess severity, reproduce, and decide on a fix and disclosure timeline.

03

Resolve

Fix shipped. Researcher credited (with permission). Public note in our changelog.

Please don’t test against schools’ live tenants. Use a test account or write to us first to set one up - we’re happy to.
Compliance

Frameworks we’re working with

We’re honest about where we are. Some are done; others are on the roadmap. Either way, what we have is verifiable.

Aligned

POPIA

Data ownership, retention, audit, and consent flows mapped to the Act.

In progress

ISO 27001

Audit underway. Target certification 2026 Q4. Gap-assessment available on request.

Planned

SOC 2 Type II

Scoped for 2027. Roadmap available to schools on the Institution plan.

Need a security questionnaire answered?

We complete a few of these every term - typical IT vetting from school IT departments and procurement teams. Send yours and we’ll turn it around in a school week.

Email security