Schools sign a vendor in a procurement process that’s often more about IT, legal and compliance than about features. The page below summarises how CHERI SMS handles authentication, data protection, anti-cheating, audit logging, and the regulatory frameworks Indian and international schools have to answer to.
Email or phone OTP at sign-up. Optional TOTP-based 2FA for staff and admin accounts. Suspicious-login alerts trigger a re-verification rather than a silent allow.
Short-lived JWT access tokens with refresh-token rotation. Server-side blacklist on logout, password change, or when an account is disabled, so a stolen token can be cut off centrally.
From SuperAdmin to Student, with eight permission types per module (View, Add, Edit, Delete, Approve, Export, Import, Print) and individual overrides where a school needs to deviate from the role default.
Sensitive fields (national IDs, financial records, contact details) are encrypted at the column level using AES-256. Backups inherit the same encryption.
All traffic to the platform runs over TLS 1.2 or higher with HSTS preload. Internal service-to-service calls inside the cluster are mutually authenticated.
Every record carries a school ID, and every database query is forced through a tenant filter at the framework level. A teacher in School A cannot read a row that belongs to School B, even by mistake.
Any user-generated content rendered as HTML (announcements, chat, comments) is run through DOMPurify before display. The XSS attack surface stays small and well-defined.
Schools that need to keep data inside India, the UAE or another specific jurisdiction can pin their tenant to that region’s database cluster. We can talk through the residency contract during onboarding.
Files attached in chat are scoped to the conversation, time-boxed (24-hour auto-delete by default), and traceable. The intent is to support genuine teaching context, not a general drop box.
These are on by default for every published quiz inside CheriMathLab. The teacher doesn’t configure them.
If the student switches tabs or minimises the window during a graded quiz, the system flags the event and notifies the teacher.
The browser’s native screenshot path is blocked on the quiz page, so questions can’t easily be shared on WhatsApp during the quiz.
Both question order and option order are randomised per student, so two learners next to each other don’t see the same paper.
Each question has its own time budget. Time runs forward only, so seconds saved on an easy question can’t be banked for a hard one.
The AI tutor is unreachable inside a graded quiz, so a student can’t hop into chat and ask the assistant for the answer.
If the network drops or the browser closes, the in-progress attempt is submitted with whatever’s been answered, rather than being lost.
One-to-one chats between a teacher and a student or parent are private. Admins do not see the body of a DM in their normal admin view. Access only opens up under a documented abuse-investigation flow, with a logged justification.
File sharing in chat is intended for STEM teaching artefacts (handwritten working, diagrams, problem sets). Files default to a 24-hour auto-delete, and consent to the file-sharing terms is recorded server-side.
Every action is logged in UTC, and the footer of the dashboard shows the user’s local timezone next to the UTC offset. There’s no ambiguity over “what time was that quiz submitted?” during a parent-teacher review.
Browser and mobile push notifications require an explicit opt-in. Consent withdrawal is on the roadmap as a one-click control on the user’s profile page, alongside data-export and account-deletion options.
CHERI SMS is built on the assumption that an external auditor will eventually look at the logs. The logging is structured for that, not bolted on afterwards.
We don’t certify against every framework. We do design the data model, the consent flows and the audit trails so that schools can answer their own auditors.
Student records, attendance and basic school info are structured to support UDISE+ reporting in Indian schools.
Admission tracking, fee structures and attendance rules are configurable to align with state-level RTE-quota requirements.
Multi-disciplinary courses, holistic report cards and the 5+3+3+4 structure are first-class concepts in the data model.
Consent tracking, data-export, account-deletion and breach-notification workflows are built in. GDPR for international schools, DPDP for Indian schools.
We’re happy to do a 45-minute call with your IT lead and walk through any specific section in detail.