Security & Compliance

Encryption

• OAuth tokens encrypted at rest with Google Cloud KMS (key: student-oauth-tokens, region: europe-west1)
• TLS 1.2+ for all in-transit data

Data residency

• Primary region: europe-west1 (Firebase Functions + Firestore)
• Aligned with GDPR expectations for EU customers

Access controls

• Per-workspace isolation; no cross-tenant reads
• Role-based permissions (owner / admin / counselor / viewer)
• Immutable audit log of every consent, token refresh, email send, thread open, and revocation

Google OAuth

• Verified by Google pending verification
• Scopes: gmail.readonly, gmail.send (only)
• One-click revocation from student.educrmapp.com and from myaccount.google.com/permissions

EduCRM's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

AI data handling

• Anthropic (Claude) processes inputs as a sub-processor under our DPA. No training on customer data.
• Usage and spend transparent to workspace admins via Settings → AI Usage

Sub-processors

Anthropic · Google Cloud · Vercel · Stripe · Resend

Data Processing Agreement

DPA available on request: privacy@educrmapp.com