ASKCECOS handles student communications, fee references, and academic records. We treat that data with the seriousness it deserves.
All data is encrypted using TLS 1.3 in transit and AES-256 at rest. WhatsApp end-to-end encryption is preserved up to the official Business API gateway.
Phone numbers are stored only as SHA-256 hashes in the primary database. Raw numbers are held in Redis with a short TTL and are never written to permanent storage, logs, or URLs.
CNICs, financial identifiers, and raw phone numbers are automatically redacted from analytics dashboards, AI prompt context, and audit logs before they are written.
Role-based access control across departments. Admin accounts require multi-factor authentication. API access is protected by HMAC-SHA256 webhook signatures and Bearer token authentication.
Every prompt, response, confidence score, smart handoff decision, and admin action is logged immutably for at least 12 months. Logs are append-only and cannot be modified via the admin panel.
Confidence-gated responses ensure low-confidence answers trigger a smart handoff to human agents rather than being sent to students. Stall phrases and hallucination patterns are detected and discarded by the pipeline.
Found a vulnerability? We'd like to know. Email cdgai@cecos.edu.pk with a description of the issue, steps to reproduce, and impact assessment. We aim to acknowledge within 24 hours and resolve critical issues within 7 days. We do not currently operate a bug bounty programme, but we do acknowledge researchers publicly with their consent.