Security

1. Encryption

2. Authentication & Session Security

• JWT sessions — secure, signed JSON Web Tokens with short expiration times and automatic refresh.
• CSRF protection — all state-changing requests are validated against a unique CSRF token to prevent cross-site request forgery.
• Rate limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse. Login endpoints have stricter limits with exponential backoff.
• Secure cookies — session cookies are HttpOnly, Secure, and SameSite=Strict to prevent client-side access and cross-site leakage.

3. Infrastructure

• Appwrite Cloud — our backend runs on Appwrite Cloud with managed infrastructure, automated patches, and built-in DDoS protection.
• Per-institution isolation — each institution's data is logically isolated at the database level. Teachers, students, and parents from one institution cannot access data from another.
• Automated backups — data is backed up daily with point-in-time recovery capabilities.
• Monitoring — real-time alerting for anomalous access patterns, failed authentication attempts, and system health metrics.

4. AI Provider Security

When assessment data is sent to third-party AI providers (Google Gemini, Mistral, OpenRouter) for evaluation:

• Data is transmitted over encrypted channels (TLS 1.2+).
• Data is not used for model training by any of our AI providers. It is processed and discarded after generating the evaluation response.
• We maintain Data Processing Agreements (DPAs) with all AI providers governing data handling obligations.
• Only the minimum data necessary for evaluation is transmitted — no student personally identifiable information is sent to AI providers unless required for the evaluation context.

5. Access Controls

• Role-based access control (RBAC) — the platform enforces strict role boundaries: Platform Admin, Principal, Teacher, Student, and Parent. Each role has access only to features and data relevant to their function.
• Principle of least privilege — users are granted the minimum permissions necessary to perform their tasks.
• Audit trails — critical actions (login, evaluation access, data export) are logged for accountability and forensic review.
• Token-based parent access — parents access student reports via unique, time-limited tokens rather than traditional credentials.

6. Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

We acknowledge receipt of vulnerability reports within 24 hours and aim to provide an initial assessment within 72 hours. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.