← Back to home

Security

Last updated: May 20, 2026 · Status: private pilot, no public users yet

For a one-page scorecard mapped to a district vendor questionnaire, see our trust and compliance page.

Tenant isolation

SofaOps is a multi-tenant K-12 application with three tenant levels: district, school, and classroom. Every database row is tagged with its tenant chain. Postgres row-level security policies enforce that a query can only return rows the requesting user is authorized to read. A teacher in one school cannot read another school’s assignments, even by mistake, even from server code.

Service-role database access (which bypasses row-level security) is restricted to a small set of named endpoints used only for tenant provisioning, billing webhooks, and scheduled jobs.

Authentication

  • Adults (teachers, administrators, parents): authenticated by Clerk. Passwords never touch our servers. MFA available to any user from their account settings. SAML SSO available to district licenses on request; we wire up a connection when a district provides their IdP metadata.
  • Students under 13: per-classroom code plus display name and avatar. No email, no password, no PII. The class code is regenerable at any time by the teacher, which immediately invalidates all previously-issued student sessions.
  • Older students: optional school-issued email login if the school enables it.

Session tokens are HTTP-only, secure-flagged, and SameSite=Lax. Sign-in events are logged for security investigations. A school-admin-visible audit log surface is on our near-term roadmap.

Encryption

  • HTTPS enforced site-wide; HSTS with a one-year max-age
  • Data encrypted at rest in Supabase Postgres and Supabase Storage
  • Sensitive environment variables stored in Vercel as Sensitive, not readable from the dashboard once set

Compliance

  • FERPA: SofaOps acts as a school-authorized service provider; education records remain under school custody
  • COPPA: students under 13 use a no-PII login flow under the school-as-agent exception
  • Data Processing Agreements (DPAs) available for school and district customers on request
  • State-specific student data privacy laws (CA AB 1584, NY Ed Law §2-d, IL SOPPA, others): addressed on request

Operational practices

  • Application code reviewed before merge; production deploys gated through Vercel
  • Dependencies monitored via npm audit; critical CVEs patched within 24 hours
  • Audit logs retained for all authentication and administrative actions
  • Backups and point-in-time recovery handled by Supabase
  • Incident response: school administrators notified within 72 hours of any confirmed unauthorized access to their data

What we are working toward

We are a small company that does not have SOC 2 or iKeepSafe certifications yet. We are transparent about that. Our infrastructure providers (Vercel, Supabase, Clerk, Resend, Stripe) are each SOC 2 Type II, so SofaOps inherits audited controls at the platform layer. As paid revenue grows we plan to pursue, in this order:

  1. A published status page and public incident log
  2. An independent WCAG 2.1 AA accessibility audit
  3. iKeepSafe FERPA and COPPA certifications
  4. SOC 2 Type II

See the trust and compliance page for the full scorecard.

Reporting a vulnerability

Email info@fcgok.com with details. We acknowledge reports within two business days. We do not currently run a bug bounty program, but responsible disclosures from researchers are welcome and credited where appropriate.