Data Security at NextClass

Your data security and privacy are our top priorities. We implement industry-leading security measures to protect educator and student information.

Canadian Data Residency

All of your data is securely stored on Canadian servers hosted on AWS infrastructure in Canada. This ensures compliance with all relevant Canadian privacy legislation including PIPEDA (Personal Information Protection and Electronic Documents Act) and, where applicable, provincial education privacy laws.

By keeping data within Canada, we ensure that your information remains subject to Canadian privacy laws and is not subject to foreign government access requests under laws like the USA PATRIOT Act.

PIPEDA Compliance

Next Class Inc. is committed to full compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). We:

  • Collect only information necessary to provide our services
  • Obtain meaningful consent for data collection and use
  • Limit data use to stated purposes
  • Protect personal information with appropriate safeguards
  • Maintain transparency about our privacy practices
  • Provide individuals with access to their personal information
  • Respond to privacy concerns and complaints

Encryption & Data Protection

We use industry-standard encryption to protect your data both in transit and at rest:

  • In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), the same technology used by banks and financial institutions.
  • At Rest: All data stored on our servers is encrypted using AES-256 encryption, a military-grade encryption standard.
  • Database Security: Our databases are encrypted and access is restricted using role-based access controls.

Authentication & Access Control

We use Auth0, an industry-leading identity management platform, to secure user authentication:

  • Multi-factor authentication (MFA) available for enhanced security
  • Secure password requirements and hashing
  • Session management and automatic timeout
  • Role-based access controls to limit data access
  • Single sign-on (SSO) support for school boards

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. This is the highest level of security certification in the payments industry.

  • We never store credit card information on our servers
  • All payment data is encrypted and tokenized
  • Stripe is certified compliant with PCI Service Provider Level 1, the most stringent level of certification
  • Fraud detection and prevention tools are active on all transactions

Infrastructure Security

Our infrastructure is built on Amazon Web Services (AWS), which provides:

  • 24/7 monitoring and threat detection
  • Automated security patching and updates
  • Network isolation and firewalls
  • DDoS protection
  • Regular security audits and compliance certifications
  • Redundant backups and disaster recovery procedures

Application Security

We follow secure software development practices throughout our development lifecycle:

  • Regular security code reviews and testing
  • Automated vulnerability scanning
  • Input validation and sanitization to prevent injection attacks
  • Protection against cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • Regular dependency updates to address known vulnerabilities
  • Security headers and content security policies

Access Controls & Monitoring

We maintain strict controls over who can access data:

  • Role-based access control (RBAC) limits employee access to data
  • Principle of least privilege - employees only have access necessary for their role
  • All access to production systems is logged and monitored
  • Regular access reviews to ensure appropriate permissions
  • Mandatory security training for all employees

Incident Response & Breach Notification

We have a comprehensive incident response plan in place:

  • 24/7 security monitoring and alerting
  • Incident response team ready to respond to security events
  • Regular incident response drills and tabletop exercises
  • Breach notification procedures in compliance with PIPEDA requirements
  • Post-incident reviews to improve security measures

In the event of a data breach that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by law.

Regular Security Audits

We conduct regular security assessments to ensure our security measures remain effective:

  • Internal security audits and vulnerability assessments
  • Third-party penetration testing
  • Code security reviews
  • Infrastructure security assessments
  • Compliance audits for privacy regulations

Data Retention & Deletion

We retain data only as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained for the life of the account plus 2 years
  • Support records: Retained for 2 years
  • Audit logs: Retained for 12 months
  • Backups: Rolling 35-45 day retention

Upon request, we will delete or de-identify your data, subject to legal requirements and backup retention periods. See our Privacy Policy for more details.

Third-Party Service Providers

We carefully vet all third-party service providers and ensure they meet our security standards:

  • AWS (Amazon Web Services): Cloud infrastructure hosting in Canada
  • Stripe: PCI DSS Level 1 certified payment processing
  • Auth0: Enterprise-grade identity and access management
  • Google Analytics, Meta Pixel, Microsoft Clarity: Analytics with privacy controls

All third-party providers are bound by data processing agreements that require them to maintain appropriate security measures and use data only for specified purposes.

Your Security Responsibilities

Security is a shared responsibility. We ask that you:

  • Use a strong, unique password for your account
  • Enable multi-factor authentication if available
  • Never share your account credentials
  • Log out when using shared or public computers
  • Report any suspicious activity or security concerns to us immediately
  • Keep your contact information up to date so we can reach you in case of a security incident

Security Questions or Concerns?

If you have questions about our security practices or wish to report a security vulnerability, please contact us:

Email: info@nextclass.ca

For more information about our privacy practices, please see our Privacy Policy.

Last updated: November 5, 2025