How we protect your data.
When dealing with student records, academic data, and corporate intellectual property, security isn't just a feature — it is our entire foundation. Here is exactly how we ensure enterprise-grade protection.
Enterprise Cloud Hosting
All core student data and platform analytics are hosted on isolated, encrypted PostgreSQL databases. We rely on world-class, SOC-2 compliant cloud infrastructure to guarantee resilience against data loss, with a best-effort uptime target of 99%.
Zero-Trust Document Storage
Every resume, offer letter, and academic document uploaded is instantly encrypted and routed to Cloudflare's global R2 storage network. Files are sealed behind securely signed, time-expiring URLs — never public links.
State-of-the-Art Authentication
We employ cryptographic, JWT-based session management. Sessions expire after 8 hours and are invalidated immediately upon a password change. Passwords are irreversibly hashed using industry-standard bcrypt before reaching our servers — we never store passwords in plain text.
AI Privacy Guarantee
Student resumes submitted for AI scoring are processed in an isolated, enterprise environment. Resumes are never used to train public AI models and are processed solely for the purpose of generating the student's score and feedback.
Brute Force & Breach Protection
Repeated failed login attempts trigger automatic account lockout, preventing brute force attacks. During registration, passwords are checked against the HaveIBeenPwned database to prevent the use of credentials exposed in known data breaches. Sensitive API endpoints are rate-limited.
Full Audit Trail
Every action taken by a recruiter on the platform — including profile views, status changes, and notes — is recorded in an immutable access log. Placement officers have complete visibility into recruiter activity on their drives at all times.
Role-Based Access Control (RBAC)
We operate on a strict principle of Least Privilege. A student can never view another student's data. A recruiter is restricted to viewing only the applicants who applied to their specific authorised drive. Placement officers maintain full, auditable control over access limits. Super admins operate in a completely isolated tier. We build the fortress — you hold the keys.
DPDPA 2023 Compliance
PlaceGrad operates as a Data Processor under India's Digital Personal Data Protection Act, 2023. The College deploying our platform acts as the Data Fiduciary and is responsible for obtaining valid consent from students. PlaceGrad processes personal data solely on documented instructions from the College, implements reasonable technical and organisational measures to protect data, and assists Colleges in responding to student rights requests under the DPDPA.
Individually identifiable student data is never sold or shared with third parties without prior written consent from the College. Upon contract termination, student data is available for export for 30 days, after which it is securely deleted from our systems.
Our Data Practices at a Glance
Responsible Disclosure
If you discover a security vulnerability in the PlaceGrad platform, we encourage responsible disclosure. Please report it to us at support@placegrad.com with a description of the vulnerability and steps to reproduce it. We commit to acknowledging your report within 48 business hours and working with you to resolve the issue promptly.
Please do not publicly disclose security vulnerabilities until we have had a reasonable opportunity to investigate and address them.