Encrypted in transit
All data is encrypted over HTTPS/TLS. No plaintext communication on any endpoint.
No data selling
We never sell, rent, or share student or school data with advertisers or third parties.
Role-based access
Admin, Teacher, Student, and Parent roles each access only what they need — nothing more.
Authentication & Access
JWT with short-lived tokens
Access tokens expire in 15 minutes. Refresh tokens in 7 days with automatic rotation.
Rate limiting on all auth endpoints
Login and signup are rate-limited to prevent brute-force attacks.
School-scoped data isolation
Each school's data is logically isolated. A user from one school cannot access another school's data.
Data Handling
Student data minimisation
We collect only what is necessary for the platform to function. No behavioural profiling or ad targeting.
Encrypted database at rest
All data is stored in an enterprise-grade cloud database with encryption at rest enabled on all clusters.
Automated daily backups
Incremental daily and full weekly backups with 30-day retention. Tested restore procedures.
Right to deletion
Schools can request full data deletion. All student records, activity logs, and media are purged within 30 days.
Infrastructure
HTTPS everywhere
All pages served over HTTPS. HTTP requests are permanently redirected.
Protected static file access
Uploaded files and exports require a valid JWT — they are not publicly accessible URLs.
CORS strict policy
Cross-origin requests are restricted to the production domain only. No-origin requests are rejected in production.
Report a security issue
Found a vulnerability? Please report it responsibly. We take all reports seriously and respond within 48 hours.
security@tryspyral.com