← Back to home

Security

Last updated: May 19, 2026 · Status: in private build, no public users yet

Tenant isolation

SofaOps is a multi-tenant K-12 application with three tenant levels: district, school, and classroom. Every database row is tagged with its tenant chain. Postgres row-level security policies enforce that a query can only return rows the requesting user is authorized to read — a teacher in one school cannot read another school’s assignments, even by mistake, even from server code.

Service-role database access (which bypasses row-level security) is restricted to a small set of named endpoints used only for tenant provisioning, billing webhooks, and scheduled jobs.

Authentication

  • Adults (teachers, administrators, parents): authenticated by Clerk. Passwords never touch our servers. MFA available; required for school and district administrators. SAML SSO available for district licenses.
  • Students under 13: per-classroom code plus display name and avatar. No email, no password, no PII. The class code is regenerable at any time by the teacher, which immediately invalidates all previously-issued student sessions.
  • Older students: optional school-issued email login if the school enables it.

Session tokens are HTTP-only, secure-flagged, and SameSite=Lax. All sign-in events are logged in an audit trail visible to school administrators.

Encryption

  • HTTPS enforced site-wide; HSTS with a one-year max-age
  • Data encrypted at rest in Supabase Postgres and Supabase Storage
  • Sensitive environment variables stored in Vercel as Sensitive, not readable from the dashboard once set

Compliance

  • FERPA: SofaOps acts as a school-authorized service provider; education records remain under school custody
  • COPPA: students under 13 use a no-PII login flow under the school-as-agent exception
  • Data Processing Agreements (DPAs) available for school and district customers on request
  • State-specific student data privacy laws (CA AB 1584, NY Ed Law §2-d, IL SOPPA, others): addressed on request

Operational practices

  • Application code reviewed before merge; production deploys gated through Vercel
  • Dependencies monitored via npm audit; critical CVEs patched within 24 hours
  • Audit logs retained for all authentication and administrative actions
  • Backups and point-in-time recovery handled by Supabase
  • Incident response: school administrators notified within 72 hours of any confirmed unauthorized access to their data

Reporting a vulnerability

Email info@highlandcreates.com with details. We acknowledge reports within two business days. We do not currently run a bug bounty program, but responsible disclosures from researchers are welcome and credited where appropriate.