Security

Data Security

How we protect your information โ€” designed to meet the expectations of professional educators and school administrators.

๐Ÿ”

Authentication

Passwords are never stored in plain text. Supabase Auth uses industry-standard bcrypt hashing. Sessions are managed via secure, HttpOnly, SameSite=Lax cookies โ€” not localStorage tokens. This prevents common XSS session-hijacking attacks.

๐Ÿ›ก๏ธ

Database Row Level Security (RLS)

Our Postgres database enforces Row Level Security policies on every table. Each user can only read and write their own rows. Admin operations (registration, credit grants, download tracking) use a server-side service role key that is never exposed to the browser.

๐Ÿ“

Resource file delivery

Resource files are stored in a private Supabase Storage bucket. They cannot be accessed without a valid, time-limited signed URL. Signed URLs expire after 2 minutes and are generated only after server-side authentication and credit verification. Direct bucket URLs are blocked.

๐Ÿ’ณ

Payment security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified processor. StandardCraft never stores card numbers, CVCs, or full billing details. We receive only billing metadata (customer ID, subscription ID, plan status) via Stripe webhooks. Webhook payloads are verified using Stripe's HMAC signature before processing.

๐ŸŒ

Transport security

All connections to StandardCraft are served over HTTPS (TLS 1.2+). HTTP requests are redirected to HTTPS. Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied to all responses.

๐Ÿ”‘

API key management

Supabase service role keys and Stripe secret keys are stored as server-side environment variables. They are never embedded in client-side JavaScript bundles. The public Supabase anon key exposed to the browser can only perform operations explicitly permitted by RLS policies.

๐Ÿ“‹

Ed Law ยง2-d (School accounts)

School and district accounts are governed by a data sharing agreement (DSA) executed under New York Education Law ยง2-d (8 NYCRR Part 121). Educator PII collected under school contracts is used solely for service delivery, is never sold, and is not used for advertising targeting.

๐Ÿ””

Incident response

In the event of a data breach involving personal information, we will notify affected users within 72 hours of discovery, consistent with applicable law. School contract customers will be notified in accordance with their DSA.

Questions about our security practices? Contact us or email security@standardcraft.app.