Data protection
Your data, separated and protected.
A plain account of how Folio isolates each institution, enforces access at the database, and keeps a record of what changes. No jargon, no hand-waving.
Isolation per institution
Every institution runs on its own subdomain, and its records are scoped to its own institution at every query. A student, a course, a grade belongs to one institution and is only ever read in that context.
Row-level security, at the database
Access is enforced in Postgres itself with row-level security, not only in the interface. Even a bug in the application cannot hand one user another’s protected rows, because the database refuses to return them.
Scoped sessions & access
Sessions are scoped to your institution’s domain. Roles separate duties: administrators, registrars and staff each see only what their role permits, and platform-level access is limited and deliberate.
An audit trail
Administrative changes are recorded: who changed what, and when. The record is there for your own review and for the questions procurement and compliance teams ask.
We don’t mine your work
Your institution’s content is yours. Folio’s AI answers from the sources you give it; we do not sell your data, and we do not train models on your students’ work.
Compliance posture
Folio is built to a GDPR-aligned standard, and a Data Processing Agreement is available on request. Single sign-on (SAML / OIDC) and regional data residency are on our institutional roadmap; tell us your requirements and we’ll walk through where we are.
Have a security questionnaire?
Send it over. We’ll walk through isolation, access, retention and our roadmap, and give you what your compliance team needs.