How we look after your centre's data

ClassNest is built around the Protection of Personal Information Act (POPIA), which has been in force since 1 July 2021. POPIA is South Africa's equivalent of GDPR - it tells every organisation how to handle personal information.

For your centre. You are the "responsible party" under POPIA for the personal information of your parents, children, and staff. ClassNest is your "operator" - we process the information on your instructions, within the limits of what the software needs to do its job.

What the app helps you do.

• Respond to parent access requests: every piece of information the app holds about a parent or child is accessible to you in your account.
• Honour consent and withdrawal: you choose what to send, when, and to whom. You can stop sending reminders or receipts to any parent at any time from the invoice or parent profile.
• Keep a clear record of invoices sent, statements issued, and communications logged against each parent.
• Delete parent and child records permanently when a family leaves and you no longer need them.

If you want a practical walk-through of POPIA for your centre, see our POPIA Compliance Checklist.

ClassNest runs on managed cloud infrastructure. We don't run our own servers; we use providers whose specialty is running secure infrastructure at scale.

• Database: Supabase (managed PostgreSQL). Your centre's data, parent records, invoices, and attendance records all sit here.
• Application hosting: Vercel. The ClassNest web app runs on Vercel's global edge network.
• Transactional email: Resend. Invoice emails, statements, and reminders go out through Resend's authenticated mail infrastructure.

Both Supabase and Vercel are independently SOC 2 Type II and ISO 27001 certified. That means the companies we rely on for the underlying infrastructure are audited to enterprise security standards, even though ClassNest itself doesn't yet hold those certifications as a company.

• In transit: every connection between your browser and ClassNest uses TLS 1.2 or higher. No plaintext traffic, ever.
• At rest: your database is encrypted on disk using AES-256 by Supabase. Backups are encrypted the same way.
• Email: invoice and statement emails are sent via TLS; PDFs attached to emails are encrypted in transit along with the message.

Inside your account. Only you (the owner) and the staff you explicitly invite can access your centre's data. Every sign-in is verified through Supabase's authentication system. Passwords are stored as salted hashes; we never see them in plaintext.

Inside ClassNest. Administrative access to production systems is restricted to ClassNest core personnel and used only for support, maintenance, and diagnosing issues you report.

Support access to your account. We don't log in to your account unless you ask us to help with something specific and grant permission in writing. When support is done, access ends.

Your database is backed up automatically every day by Supabase. Backups are encrypted at rest with AES-256 and retained on a rolling recovery window.

Point-in-time recovery is supported, which means if something goes wrong we can restore your data to a specific moment within the retention window - not only the most recent daily snapshot. In practice this makes the gap between an incident and a full recovery as short as possible.

If data loss ever happens on your centre's account, we restore from the most recent good state and explain exactly what was affected and what we did. We don't hide incidents.

We collect the minimum needed for the app to do its job: each child's name, date of birth, class, enrolment status, parent contact, and any medical or allergy notes your centre chooses to record. That's it.

What we never do.

• Sell your data to anyone. Ever.
• Share it with advertisers, marketers, or data brokers.
• Use it to send communications to parents on your behalf without your explicit action.
• Look at your data for any reason other than supporting you or keeping the service running.

We're explicit about every third-party service that could hold any piece of your centre's data. Each one is used for a specific purpose and bound by their own data protection terms.

PayFast handles your ClassNest subscription payments. Your card and banking details are entered directly into PayFast's secure interface; ClassNest never sees or stores them.

POPIA requires us (and you) to report personal information breaches as soon as reasonably possible. The Information Regulator's guidance expects notification within 72 hours as best practice, and that's the standard we work to.

If we discover a security incident that affects your centre's data, we'll:

• Contain the incident and work out what happened.
• Notify you directly at your account email address with what we know, what's affected, and what we're doing about it.
• Notify the Information Regulator in line with POPIA timelines.
• Publish a post-incident summary once the investigation closes, so you can see exactly what went wrong and what we changed.

If you think you've found a security issue in ClassNest, please email support@classnest.co.za with the details. We respond within 48 hours, usually faster.

Security is a continuous investment, not a one-time checkbox. The infrastructure ClassNest runs on is already SOC 2 Type II and ISO 27001 certified through Supabase and Vercel. On our application layer, the next additions on the roadmap are:

• A formal SOC 2 Type I audit at the application layer, adding a company-level certification on top of the infrastructure certifications we already inherit.
• Scheduled third-party penetration testing.Dependencies are monitored for known vulnerabilities through our package registry, and deployments are built on platforms that run their own security scans. Annual external pen tests are on the roadmap to add a dedicated application-layer assessment.
• Public status page. Real-time service health and historical uptime data, so you can see how the app is performing without asking us.

If your centre has specific security or compliance requirements - NDAs, data processing agreements, RFP responses, security questionnaires - email support@classnest.co.za. We handle these directly.