Trust & Security

We take the security of your personal data seriously. Here’s how we protect your information and comply with regulations.

Encryption

• All data encrypted in transit with TLS 1.2+ (HTTPS everywhere)

• Database encrypted at rest with AES-256 via Supabase managed encryption

• Passwords hashed with bcrypt — we never store plaintext credentials

• Secure JWT-based authentication with automatic token refresh

• Password strength enforcement (minimum 6 characters, visual strength indicator)

• School domain gating: only authorized email domains or invite codes can register

• Your documents are stored in private buckets with per-user access control

• We never share your personal data with third parties for marketing

• AI conversations are processed for assistance only — not used for model training

• You can request deletion of all your data at any time

• Hosted on Supabase (AWS eu-west) and Vercel with enterprise-grade SLAs

• Database runs on PostgreSQL 14 with row-level security (RLS) on every table

• Edge functions run in isolated Deno sandboxes with no shared state

• Admin actions logged in a full audit trail (actor, action, target, timestamp)

• Anomaly detection system monitors for abuse patterns and unusual activity

• Rate limiting on API endpoints prevents brute-force and abuse

• Role-based access: students, directors, and admins have separate permissions

• Row-level security ensures users can only access their own data

• Directors can only view students enrolled in their school

• Documented incident response process with severity classification

• Known issues tracked in an internal incident journal with root cause analysis

• Affected users notified within 72 hours of any data breach per GDPR requirements

If you have questions about our security practices or want to report a vulnerability, reach out to our security team.