Enterprise-grade security built into every layer
MFA, SSO (SAML 2.0 & OIDC), AES-256-GCM encryption, Row Level Security, and automated security audits — designed for institutional procurement and IT governance reviews.
Multi-factor authentication
TOTP-based MFA with AES-256-GCM encrypted secrets, 10 single-use recovery codes, and middleware-enforced MFA-pending guards across all protected routes.
Enterprise SSO integration
SP-initiated SAML 2.0 with SHA-256/SHA-512 signature validation and OIDC Authorization Code flow with PKCE — configurable per institution.
Row Level Security isolation
PostgreSQL Row Level Security enforced on all public tables with institution-scoped tenant boundaries and automated RLS verification scripts.
Security and compliance coverage
Six pillars of security — from authentication and encryption to observability and compliance — built for higher and further education institutions.
Architecture & isolation
Multi-tenant architecture with RLS-backed data isolation, institution-scoped workspaces, and role-based middleware guards protecting dashboard, labs, courses, generate, profile, and admin segments.
Authentication & identity
Five authentication methods: email/password (bcrypt), Google OAuth, phone OTP (Supabase SMS), TOTP MFA (30-second period, ±1 window), and enterprise SSO via SAML 2.0 or OIDC with PKCE. Per-institution SSO routing.
Session governance
JWT sessions with 4-hour maximum age. MFA-pending tokens are blocked from protected routes at the middleware layer. Admin routes require both ADMIN role and a verified session cookie.
Encryption controls
AES-256-GCM encryption for MFA secrets at rest (12-byte IV, 128-bit auth tag). TLS in transit across all services. HSTS enforced at 2 years with includeSubDomains and preload.
Observability & audit trail
Sentry error tracking (client, server, edge), OpenTelemetry distributed tracing, Pino structured logging to database, per-job cost tracking, quality signal pipeline, and admin monitoring dashboard.
Compliance & governance
GDPR and FERPA compliance documentation, Jisc security checklist alignment, ICO registration, automated Pa11y / axe WCAG 2.1 AA accessibility audits, and content governance with generation history tracking.
Authentication methods
| Method | Implementation detail |
|---|---|
| Email & password | Bcrypt-hashed credentials with email verification and password reset flows |
| Google OAuth 2.0 | Automatic local account provisioning on first sign-in |
| Phone OTP | Supabase-backed SMS one-time passwords supporting both signup and signin |
| TOTP MFA | SHA-1, 6 digits, 30-second period with 10 single-use recovery codes (8 characters each) |
| SAML 2.0 SSO | SP-initiated flow with SHA-256/SHA-512 signatures, assertion signing, and 5-minute clock skew tolerance |
| OIDC + PKCE SSO | Discovery-based Authorization Code flow with S256 code challenge, nonce + state validation |
Security headers
Strict-Transport-Security
max-age=63072000; includeSubDomains; preload
Content-Security-Policy
Strict script-src, style-src, and connect-src directives
X-Content-Type-Options
nosniff
Referrer-Policy
strict-origin-when-cross-origin
Permissions-Policy
camera=(), microphone=(), geolocation=() disabled
X-Frame-Options
DENY (app), SAMEORIGIN (SCORM preview), ALLOWALL (LTI)
X-Powered-By
Disabled to reduce server fingerprinting
X-Robots-Tag
noindex, nofollow on all protected segments
Runtime protections
- PostgreSQL RLS enforced on all public tables with automated verification scripts.
- JWT sessions capped at 4 hours with MFA-pending tokens blocked at middleware.
- Redis-backed presence heartbeat with 10-minute cleanup window and DB fallback.
- Circuit breaker on Gemini API calls to prevent cascade failures.
- DB connection pool hardening with idle timeout (10s serverless / 30s traditional).
- Zod schema validation on all API inputs with email/phone normalization.
- Quality gating blocks export of labs scoring below 60/100 on 7-dimension scorecard.
Sub-processors overview
| Provider | Purpose | Location |
|---|---|---|
| Supabase | PostgreSQL database with RLS + Realtime WebSocket | EU region |
| Vercel | Application hosting and edge delivery | Global edge network |
| Google Cloud Vertex AI | Gemini model inference (9 AI workloads) | Configured cloud regions |
| Stripe | Subscription billing and payment processing | Regional PCI-DSS processing |
| Resend | Transactional email (verification, reset, alerts) | Global delivery infrastructure |
| Cloudflare R2 | S3-compatible storage for SCORM packages | Global object storage |
| Redis (BullMQ) | Job queue, presence tracking, session caching | Configured region |
| Sentry | Error tracking and performance monitoring | EU data residency available |
IT review checklist
- SAML 2.0 and OIDC SSO integration with per-institution configuration
- LTI 1.3 deep integration with Assignment & Grade Services (AGS)
- SCORM 1.2 and 2004 (3rd/4th Edition) export with quality gating (60/100 minimum)
- RLS-enforced multi-tenant data isolation with automated verification
- MFA enforcement with AES-256-GCM encrypted TOTP secrets
- JWT session governance (4-hour max age) with middleware-level route protection
- Automated security audit scripts and WCAG 2.1 AA accessibility audits
- GDPR, FERPA, and ICO registration documentation available
Request security documentation pack
Comprehensive pack for institutional due diligence: architecture diagrams, authentication flow documentation, encryption specifications, sub-processor DPIAs, and Jisc checklist alignment.