This page covers Stavion ERP's public website and platform technology from two angles: what it means for your school day-to-day, and — for anyone on your side who wants to go deeper — the actual stack, architecture, and security model underneath it.
Your public website is custom-engineered on a modern, secure, and future-proof foundation, and wired directly into the same platform that runs your admissions, fees, and communication.
Built with the same class of technology (React + TypeScript) used by Google, Netflix, and Meta — your school's website loads in a couple of seconds, even on an average mobile connection.
Phone, tablet, or laptop — the site automatically adapts, so every parent sees a polished, professional school online, no matter how they browse.
No outdated plugins or themes to hack — unlike typical WordPress sites. Encrypted HTTPS connections, modern security headers, and a codebase that doesn't depend on third-party plugin updates to stay safe.
Search-engine optimisation is built in from day one — page titles, descriptions, sitemaps, and structured data help parents searching for "schools near me" find your school first.
Admission inquiries, contact forms, and career applications on your website don't land in an inbox to be manually copied — they flow straight into Stavion's admissions pipeline, instantly.
New pages, sections, or campaigns can be added without rebuilding the site. No recurring "theme" or "plugin license" fees — and no risk of the site breaking after a browser or platform update.
Behind the portals, Stavion is an API-driven, configuration-driven platform — the same approach large enterprise software vendors use so their products can be customised for every customer without rewriting code for each one.
Every module — admissions, fees, attendance, exams, payroll — is a connected service with a clean API underneath. New integrations (payment gateways, WhatsApp/SMS, government portals like UDISE+) plug in without re-engineering the core.
Classes, sections, fee structures, grading rules, and approval workflows are set up through configuration screens — not custom programming. When a rule changes, it's a configuration change, not a software rebuild.
Transport, library, payroll, analytics — each is an independent building block on the same core. Turning one on doesn't mean redeploying or disrupting the rest of the platform.
Every school's data lives in its own isolated space on shared, centrally-maintained infrastructure — never mixed or visible to any other institution on the platform.
A teacher, an accountant, and a principal each see exactly what their role allows — automatically, consistently, across every portal — without relying on staff to "just not click that".
Update a student's attendance once, and it's instantly reflected in the teacher's register, the parent's app, and the management dashboard — no exports, no manual syncing between systems.
Containerized services that run the same way in development and production — designed to grow from a single campus to a multi-school group without re-architecting.
A built-in report and dashboard builder lets management create the views they need themselves — no developer, no vendor request, no waiting.
Every layer uses current, actively-maintained, industry-standard technology — not a proprietary or abandoned framework that locks you in or stops receiving security updates.
| Layer | Technology | Why it matters |
|---|---|---|
| Public website & portals | React 18TypeScriptVite 5Tailwind CSS 3React Router 6 |
Component-based, type-checked front end with instant navigation, a shared design system, and a build pipeline that produces small, fast-loading bundles. |
| Backend API | Node.jsExpressTypeScriptZod |
A type-safe REST API with schema validation (Zod) on every request, so malformed or malicious input is rejected before it reaches business logic. |
| Database | PostgreSQL 16Prisma ORM |
A proven, ACID-compliant relational database with type-safe queries and version-controlled schema migrations — no hand-written SQL prone to injection bugs. |
| Caching & sessions | Redis 7 |
Fast in-memory store for session and cache data, keeping the platform responsive as more schools and users come online. |
| Authentication & access control | JWTbcryptTOTP 2FA (speakeasy) |
Industry-standard token-based sessions, salted password hashing, and time-based one-time-password two-factor authentication for sensitive accounts. |
| HTTP security & logging | HelmetCORS policyPino structured logs |
Secure HTTP headers applied by default, a locked-down cross-origin policy, and structured request logging for audit and incident response. |
| Infrastructure | Dockerpnpm workspaces (monorepo)Shared TypeScript types |
Containerized services that run identically in development and production, with shared type definitions between front end and back end to prevent integration bugs. |
Every dependency above is a widely-adopted, actively-maintained open-source project with a large community and long-term support — chosen specifically so the platform never depends on a single vendor or an obscure, unsupported tool.
"API-driven" and "configuration-driven" are common claims in enterprise software. Here's specifically how each one is implemented in Stavion.
These are the controls in place today, mapped to the questions both a school management committee and a technical reviewer typically ask.
npm audit.The public website, the ERP portals, and the backend API are separate applications in a single monorepo, sharing types and a common data model — so they evolve together without becoming tangled.
React + Vite site for admissions, school info, and inquiries.
Role-based apps for management, principals, teachers, parents, students.
Express + TypeScript service, the single source of truth for all apps.
PostgreSQL + Redis, containerized, with version-controlled migrations.