SECURITY
Last updated April 24, 2026
Security at GradePath is built in, not bolted on. This page describes our practices and how to report a vulnerability.
1. What we protect and how
Encryption
- All web traffic uses TLS 1.2 or higher. HTTPS is enforced on every request.
- Learning Management System credentials are encrypted at rest using AES-256-GCM.
- Database contents are encrypted at rest by our infrastructure provider (Supabase).
- Authentication credentials are hashed, never stored in plaintext.
Access controls
- Row-level security (RLS) is enforced on every data table. Users cannot read or write data that does not belong to them, even if the application layer has a bug.
- Administrative accounts use two-factor authentication.
- Production secrets are stored in the hosting provider's environment variable system and are never committed to source control.
- Cron endpoints that perform automated actions on user data require a rotating shared secret.
Application security
- The codebase uses TypeScript strict mode. Type safety is a security control.
- Input validation is enforced at API boundaries.
- Automated tests run on every change before deployment.
- Dependency vulnerabilities are monitored and patched on an ongoing basis.
- Error tracking surfaces issues in near real-time.
Infrastructure
- Hosting: Vercel (SOC 2 Type II).
- Database and auth: Supabase (SOC 2 Type II).
- Payments: Stripe (PCI DSS Level 1). Card data is never stored by us.
- AI inference: Anthropic, under commercial API terms that exclude training on customer data.
2. Reporting a vulnerability
If you have identified a security vulnerability in GradePath, please report it to us. We appreciate coordinated disclosure.
Preferred format: Include a clear description of the vulnerability, steps to reproduce, the potential impact, and any proof-of-concept code or screenshots. Do not include actual user data.
3. Safe harbor
We will not pursue legal action against researchers who:
- act in good faith and make a genuine effort to avoid privacy violations, data destruction, or service interruption;
- only interact with accounts they own or have explicit permission to test;
- report findings to us and give us a reasonable opportunity (at least 90 days) to remediate before public disclosure;
- do not exploit the vulnerability beyond the minimum necessary to confirm its existence.
4. What is out of scope
- Denial-of-service attacks or load testing against production.
- Social engineering of GradePath staff, contractors, or customers.
- Physical security of offices or personnel.
- Automated scanner output without proof of an exploitable vulnerability.
- Vulnerabilities in third-party providers (report those directly to the provider).
- Missing "best practice" headers that do not correspond to an actual vulnerability.
- Reports generated solely by automated tools such as "your site is missing HSTS" without demonstrated impact.
5. Response timeline
- Acknowledgement: within 48 hours of receiving your report.
- Initial assessment: within 5 business days.
- Remediation target: critical issues within 24 hours, high within 7 days, medium within 30 days, low within 90 days.
- Disclosure: once the issue is resolved, we are happy to credit you in a public acknowledgement (with your permission).
6. Bug bounty
GradePath does not currently operate a paid bug bounty program. We recognize the work of responsible researchers through public acknowledgement. As the product grows, we intend to launch a bounty program. If you would like to be notified when it opens, include that in your report.
7. Incident notification
In the event of a confirmed security incident affecting user data, we will notify affected users without undue delay and in any event as required by applicable law. For institutional customers with Data Processing Addenda, we notify within the contractually agreed timeframe (typically 72 hours).
8. security.txt