OperateEDU handles school operations data with the care it demands. Here's exactly what we've built and what's on our roadmap.
All connections to OperateEDU use HTTPS with TLS 1.2 or higher. No unencrypted connections are accepted.
All data stored in our database is encrypted at rest using AES-256 via Supabase's managed PostgreSQL infrastructure.
Backend services run on Railway with automatic deployments from version-controlled code. Database hosted on Supabase with managed backups.
Frontend is served via Cloudflare Pages with global edge caching, DDoS protection, and automatic HTTPS.
Supabase provides daily automated backups. Documented recovery procedures and point-in-time restore testing are in progress.
Planned for future scale. Currently single-region with managed high availability from hosting providers.
Four user roles (superadmin, admin, operations, staff) with 40+ granular permission flags. Users only see what their role allows.
Access to modules (workflows, reports, dashboards, assessments) is controlled by school plan and individual permission flags.
Admins can create custom roles with a granular permission editor, starting from base presets or building from scratch.
Single sign-on via Google OAuth for schools using Google Workspace. Reduces password fatigue and centralizes authentication.
Deactivated users are immediately locked out. Sessions are invalidated, but the user record and audit trail are preserved for compliance.
SOC 2 certification is on our roadmap as we scale. Current controls are designed to align with SOC 2 Trust Service Criteria.
Sessions expire after 45 minutes of inactivity with a 1-minute warning. Active sessions are tracked and can be invalidated on deactivation.
Login, password reset, and sensitive endpoints are rate-limited to prevent brute-force attacks.
New users provisioned with temporary passwords must reset on first login. Passwords are hashed with pepper on the server.
Passwords are never stored in plaintext. All password hashing uses a server-side pepper combined with industry-standard hashing.
Every workflow status change, admin action, login, and data access is logged with actor, timestamp, and details. Audit logs are searchable and exportable to CSV.
Access to personally identifiable information is logged separately for compliance and audit purposes.
User count, domain, and feature access limits are being hardened with server-side validation to prevent client-side bypass.
Planned as part of our SOC 2 preparation. We welcome responsible disclosure at security@operateedu.com.
All code changes go through Git with branch protections. Deployments to production require staging verification first.
All secrets, API keys, and credentials are stored as environment variables — never committed to source code.
Every change is deployed and tested on a staging environment before reaching production. No direct pushes to main.
All incoming webhooks (Stripe, provisioning) are verified using cryptographic signatures before processing.
Security incidents will be communicated to affected schools within 72 hours via email. Formal incident response documentation is being finalized.
Client-side errors are logged via log-client-error endpoint. Server-side real-time monitoring (Sentry/Datadog) is being configured.
Planned as the team scales. Current team follows secure development practices as part of daily workflow.
OperateEDU acts as a service provider under FERPA. Schools retain full ownership and control of all data including student PII. Student data is only in the system because the school imported it.
We never sell, share, or use school data for advertising purposes. Your data exists solely to power your school's operations.
Every database query is scoped to the authenticated school. Schools cannot access each other's data by design.
Schools can export their data via CSV from reports, audit logs, and dashboards at any time. Your data is never held hostage.
Data processing limited to essential services: Supabase (database), Railway (compute), Cloudflare (CDN), Stripe (payments), Google (email/SSO). Full list in our Privacy Policy.
A standard DPA for schools that require one is being finalized. Contact info@operateedu.com to request one.
Planned automated data lifecycle management. Currently, data deletion is handled on request per our privacy policy.
We take security seriously and welcome questions from prospective and current customers. For security disclosures, contact us directly.
Start your free trial and see how OperateEDU protects your school's data.
Start Free Trial