Data Protection & Privacy Governance

Privacy Policy

UA LabSign: Zero-Trust Laboratory Attendance Tracking System | University of Assumption

1. Institutional Commitment & Zero-Trust Framework

The University of Assumption is committed to protecting student and faculty privacy while ensuring absolute record integrity across computer laboratory environments. UA LabSign operates under a strict Zero-Trust security model. This policy explains how institutional identity details, device cryptographic credentials, and instant location telemetry are collected, processed, and protected across our web and mobile applications.


2. Information We Collect

To eliminate proxy attendance and secure institutional records, UA LabSign processes specific categories of academic and technical data:

Institutional Identity Data

Authentication is restricted strictly to official university Google accounts (@ua.edu.ph). We collect student names, institutional email addresses, and official Student ID numbers during onboarding.

Cryptographic Key Material (ECDSA P-256)

During single registration, a unique key pair is generated via the native Web Crypto API. The public key is stored in our database, while your non-exportable private key remains bound locally to your device storage. Private keys are never uploaded to our servers.

Instant Location Check (Geofencing)

GPS coordinates are evaluated strictly at the exact second of room PIN submission to verify presence within a 65-meter laboratory perimeter. Continuous background location tracking is never enabled, preserving student location privacy outside check-in moments.

Security Credentials & Timestamps

Time-sensitive session PINs, active session tokens, salted Bcrypt hashes of 6-digit Recovery PINs, and precise server-verified timestamps for attendance logs.


3. Purpose of Data Processing

Data collected by UA LabSign is used exclusively for operational academic management:

  • Verifying student presence and preventing proxy check-ins using device-bound digital signatures.
  • Confirming physical presence within designated 65-meter laboratory geofence zones during check-in.
  • Providing real-time live monitoring dashboards for faculty members during active class sessions.
  • Maintaining immutable administrative audit trails to ensure institutional compliance and equipment accountability.
  • Generating official class attendance exports for university academic records.

4. Anti-Proxy Verification & Device Transfer

UA LabSign enforces strict single-device registration to mathematically prevent identity spoofing and shared account check-ins:

Non-Repudiation: Attendance requests are signed using your local private key. Because private keys cannot be exported, another user cannot sign attendance on your behalf from a different phone or laptop.

Device Transfer & Revocation: If you change or replace your mobile device, logging in on the new hardware requires entering your 6-digit Recovery PIN. Authorizing a new terminal automatically revokes and evicts all previous device bindings and session tokens.


5. Data Retention, Hashing & Disclosure

All stored administrative credentials, passwords, and 6-digit Recovery PINs are protected using industry-standard Bcrypt hashing algorithms. Attendance logs are maintained inside an encrypted, cloud-hosted PostgreSQL database with parameterized data access controls. Information stored in UA LabSign is never sold, rented, or shared with commercial entities. Access is strictly governed by Role-Based Access Control (RBAC) limited to authorized students, faculty instructors, and university system administrators.


6. Student Rights & Control

Students have full visibility over their attendance history via the searchable student portal. You retain the right to clear local cryptographic keys at any time using the "Deauthorize This Device" button located inside the portal interface. System administrators also maintain endpoint tools to assist with unbinding lost or compromised hardware.


Inquiries & Security Contact

For questions regarding UA LabSign privacy safeguards, device binding issues, or security concerns, please contact the College of Information Technology or the Laboratory Administrator at the University of Assumption, City of San Fernando, Pampanga.