← Back to home Español

🛡️ Security & Compliance

What a school (and its legal advisor) needs to know before entrusting us with their community's data. Campus is built to comply with Peru's Law No. 29733 on Personal Data Protection, with the reinforced protection that minors' data requires.

✓ Ley 29733 ✓ TLS / HTTPS ✓ Isolated per school ✓ Daily backups ✓ ARCO
🔒

Encryption in transit

All traffic runs over TLS/HTTPS with HSTS. Passwords are stored as bcrypt hashes; no one —not even us— can read them.

🏛️

Multi-tenant isolation

Each school runs on its own separate database. No school can see another's data: there is no cross-contamination.

💾

Daily backups

Automatic backup of every database each night, with historical retention. The director can download a full backup at any time.

🧾

Access auditing

We log who accesses what and when. Role-based access control with the least-privilege principle.

♻️

Reversible deletion (soft-delete)

Pedagogical data is never hard-deleted: it is marked deleted and can be restored, with a later scheduled purge.

⚖️

ARCO rights

Access, Rectification, Cancellation, and Opposition guaranteed, with legal deadlines and a formal privacy channel.

🗓️

Data retention

Data is kept for the duration of the contract. Upon termination, the school exports it and it is then deleted per a written retention policy.

🌎

Sub-processors and transfers

We publish the full list of providers that process data on our behalf and declare international transfers before the ANPD.

Who is responsible for what

Under Law No. 29733, the school is the data bank owner and Clase Privada (Campus) is the data processor: we process data only on the school's behalf and per its instructions, to provide the Service. This relationship is formalized in a Data Processing Agreement (DPA) signed with each school, whose security annex summarizes the measures on this page.

Artificial intelligence, with safeguards

Some features use external AI models to assist teachers. Before leaving, all text is pseudonymized (names replaced with pseudonyms and DNI/phone-like numbers removed). AI suggestions always go through the teacher's human review, and each school can fully disable AI use while keeping the rest of the Service.

Sub-processors

These are all the providers that process data on our behalf to deliver the Service. Those marked AI process pseudonymized data outside Peru.

Provider Purpose Country Policy
Hostinger International Ltd. Server (VPS) hosting and database storage. Lithuania (EU) / USA view
Google Firebase Cloud Messaging (FCM) Delivery of push notifications to the mobile app. USA view
MercadoPago (Mercado Libre) Tuition and subscription payment processing (Checkout Pro). Only when the school enables the gateway. Argentina / Brazil view
SMTP email provider (Google Workspace by default) Sending transactional email (credentials, report cards, notices). Each school may configure its own SMTP server. USA (or as configured by the school) view
Groq, Inc. · AI AI-assisted generation of comments and reports (pseudonymized data). USA view
Cerebras Systems, Inc. · AI AI-assisted generation of comments and reports (pseudonymized data). USA view
Mistral AI · AI AI-assisted generation of comments and reports (pseudonymized data). France (EU) view
OpenAI, L.L.C. · AI AI-assisted generation of comments and reports (pseudonymized data). USA view
OpenRouter, Inc. · AI Routing to AI models (pseudonymized data). USA view
Cohere Inc. · AI AI-assisted generation of comments and reports (pseudonymized data). Canada view
Z.ai (Zhipu AI) · AI AI-assisted generation of comments and reports (pseudonymized data). China view

International transfers are carried out with adequate safeguards and declared as a cross-border flow before the National Authority for the Protection of Personal Data (ANPD).

Documents and privacy channel

Formal channel for ARCO rights and any data-protection inquiry. Attended by the Data Protection Officer (DPO).