This page describes the security and data-protection measures Kudzu Partners applies to all platforms operated under the eurekasimulations.com and proevaluationsystem.com brands. It complements our Privacy policy and Terms of service.
1. Hosting & data residency
All production data is hosted on Amazon Web Services (AWS) in the EU region eu-west-1 (Ireland), under a multi-Availability-Zone architecture. Personal data does not leave the European Economic Area. AWS data centers carry ISO 27001, SOC 2 and other industry certifications.
2. Encryption
- In transit: all HTTPS, SSH and SFTP traffic is encrypted with TLS 1.2 or higher.
- At rest: AWS EBS volumes and backups are encrypted. User passwords are stored as bcrypt hashes (work factor cost 12, per-user salt), in line with OWASP ASVS guidance.
3. Access control
Role-based access control (RBAC) with hierarchical permissions and the principle of least privilege. Each user has a unique identifier. Password policy enforces minimum length and complexity, and accounts are locked after repeated failed attempts. Multi-factor authentication is available where supported. Session activity is logged.
4. Backups & disaster recovery
- Daily automated backups, with a 7-day rolling history, redundantly stored within AWS.
- Recovery Time Objective (RTO): 1.5 hours for critical services.
- Recovery Point Objective (RPO): 24 hours.
- Multi-AZ deployment for high availability; periodic restore drills.
5. Application security
Development follows the OWASP Top 10 and the OWASP Application Security Verification Standard (ASVS). We conduct annual penetration tests and code-level security reviews on principal components. Findings are prioritized, remediated and re-tested. Deployments go through a CI/CD pipeline (Bitbucket Pipelines) with controlled release procedures.
6. Network security
AWS Security Groups and NACLs act as network-level firewalls; an AWS Web Application Firewall (WAF) protects the application layer. The network is segmented and traffic is monitored for anomalies. AWS GuardDuty is in place for threat detection.
7. Personnel & training
All staff with access to personal data sign confidentiality agreements as part of their employment contract — these obligations remain in force after the relationship ends. Periodic security and data-protection awareness training is provided.
8. Student data handling
Personal data is processed strictly under the data-processor agreement signed with each institution, in line with Article 28 of the GDPR. The data is used solely for the contracted purpose; it is never sold and never shared with third parties beyond the named subprocessors below. Pseudonymization is applied where feasible: passwords are stored as bcrypt hashes (cost 12, per-user salt), and identifier disassociation is used in non-production environments.
9. Data retention
Personal data is retained for the duration of the contractual relationship with the institution. On termination, data is deleted or returned within the window stipulated in the data-processor agreement, except where retention is legally required under EU or Member State law. Backup copies age out of the 7-day rolling window automatically.
10. Incident response
We maintain a documented procedure to notify the data controller of security incidents without undue delay, and in any case within 48 hours of awareness, in line with Article 33 of the GDPR. The notification includes the nature of the incident, the categories and approximate volume of affected subjects and records, and the proposed mitigation measures. Internally, the protocol covers containment, forensic analysis, eradication, recovery, and lessons learned.
11. Compliance, audits & subprocessors
- GDPR / RGPD: compliant. We maintain a Record of Processing Activities (RAT) under Article 30.
- DPO and security contact: Joaquim Virgili Llop — dpo@kudzupartners.com.
- Audits: institutions may audit our processes on reasonable notice; annual pentest reports and control evidence are available under NDA.
- International transfers: none. All processing takes place in AWS EU.
- Subprocessors: AWS (infrastructure, EU). The data processing itself is not subcontracted.
- Certifications: Kudzu Partners is not currently certified to ISO 27001 or ISO 22301. Our infrastructure provider (AWS) is. Our practices follow OWASP and the AWS Well-Architected Framework (Security Pillar).
Last updated: May 2026. For security questions or to request audit evidence under NDA, contact dpo@kudzupartners.com.