Security Practices

Last Updated: January 28, 2026

GradeWithAI is committed to maintaining the highest standards of security to protect student data, teacher information, and educational records. This document outlines our comprehensive security practices.

Data Encryption

Encryption in Transit

All data transmitted between users and GradeWithAI is encrypted using Transport Layer Security (TLS) 1.2 or higher. This includes:

  • All web traffic (HTTPS enforced)
  • API communications
  • LMS integration data transfers
  • Internal service communications

Encryption at Rest

All stored data is encrypted using AES-256 encryption, including:

  • Database contents
  • File storage (student submissions, documents)
  • Backups
  • Logs containing sensitive information

Infrastructure Security

Cloud Infrastructure

GradeWithAI is hosted on industry-leading cloud platforms with robust security certifications:

  • Application Hosting: Vercel (SOC 2 Type II certified)
  • Database: Supabase (SOC 2 Type II certified, data stored in US)
  • AI Processing: Agreements with OpenAI, Anthropic, and Google with data processing terms that prohibit training on customer data

Network Security

  • Web Application Firewall (WAF) protection
  • DDoS mitigation
  • Rate limiting on all API endpoints
  • IP-based access restrictions (available for enterprise)
  • Regular vulnerability scanning

Data Isolation

Each school's data is logically isolated within our systems. Teachers can only access data for their own students, and administrators can only access data within their organization.

Access Controls

Authentication

  • Secure password requirements (minimum length, complexity)
  • OAuth 2.0 integration with Google and Microsoft
  • Session timeout after period of inactivity
  • Multi-factor authentication (MFA) available for enterprise accounts

Authorization

  • Role-based access control (RBAC)
  • Principle of least privilege for all system access
  • Teachers can only access their own classes and students
  • API keys scoped to specific permissions

Administrative Access

  • GradeWithAI employees do not have routine access to student data
  • Access to production systems requires MFA and is logged
  • All administrative access is reviewed and audited regularly
  • Background checks for employees with data access

Application Security

Secure Development

  • Security-focused code review process
  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring
  • Regular security training for developers

OWASP Top 10 Protection

We implement controls to protect against the OWASP Top 10 web application security risks:

  • SQL injection prevention
  • Cross-site scripting (XSS) protection
  • Cross-site request forgery (CSRF) protection
  • Secure authentication and session management
  • Input validation and output encoding

API Security

  • API authentication required for all endpoints
  • Rate limiting to prevent abuse
  • Input validation on all API requests
  • Detailed API access logging

Security Assessments

Penetration Testing

We conduct regular penetration testing by qualified third-party security firms. Testing includes:

  • Annual comprehensive penetration tests
  • Quarterly vulnerability assessments
  • Testing after major feature releases

Vulnerability Management

  • Continuous automated vulnerability scanning
  • Critical vulnerabilities addressed within 24 hours
  • High vulnerabilities addressed within 7 days
  • Regular patching schedule for all systems

Monitoring and Logging

Security Monitoring

  • 24/7 automated security monitoring
  • Real-time alerting on suspicious activities
  • Anomaly detection systems
  • Regular log analysis and review

Audit Logging

We maintain comprehensive audit logs including:

  • User authentication events
  • Data access and modifications
  • Administrative actions
  • API access
  • Security events

Logs are retained for a minimum of 12 months and are protected from tampering.

Incident Response

Incident Response Plan

We maintain a documented incident response plan that includes:

  • Incident classification and severity levels
  • Response team roles and responsibilities
  • Communication procedures
  • Containment and eradication procedures
  • Recovery and lessons learned processes

Notification Timeline

  • Security incidents affecting customer data: notification within 72 hours
  • Regular updates provided during incident investigation
  • Post-incident report provided to affected customers

Business Continuity

Data Backup

  • Daily automated backups
  • Backups encrypted and stored in geographically separate location
  • Regular backup restoration testing
  • Point-in-time recovery capability

Disaster Recovery

  • Documented disaster recovery plan
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour
  • Annual disaster recovery testing

Employee Security

Background Checks

All employees with access to customer data undergo background checks prior to employment.

Security Training

  • Security awareness training upon hire
  • Annual security refresher training
  • Phishing awareness programs
  • Role-specific security training for developers

Access Management

  • Principle of least privilege for all access
  • Access reviewed quarterly
  • Immediate access revocation upon termination

Third-Party Vendors

Subprocessor Security Requirements

All third-party vendors with access to customer data must meet our security requirements, including:

  • Security certifications (SOC 2 or equivalent)
  • Data processing agreements
  • Regular security assessments
  • Data handling and deletion procedures

Current Subprocessors

VendorPurposeData Location
SupabaseDatabase hostingUnited States
VercelApplication hostingUnited States
OpenAIAI processingUnited States
AnthropicAI processingUnited States
StripePayment processingUnited States

Compliance

Certifications and Frameworks

  • SOC 2 Type II aligned security controls
  • FERPA compliant
  • COPPA compliant
  • SOPIPA compliant

Regular Assessments

  • Annual third-party security audits
  • Quarterly internal security reviews
  • Continuous compliance monitoring

Responsible Disclosure

We welcome security researchers to help us maintain the security of our platform. If you discover a security vulnerability, please report it to:

john@gradewithai.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggestions for remediation

We commit to responding to security reports within 48 hours and will work with researchers to understand and address issues promptly.

Contact

For security-related inquiries or to request additional documentation, email john@gradewithai.com.

Related Documentation