Your students' information is sensitive. We take that seriously — from how we store passwords to how we enforce access between organizations.
Passwords are hashed using PBKDF2 with 100,000 iterations and a 16-byte random salt. We never store plain-text passwords — not even temporarily.
Sessions use HttpOnly, Secure, SameSite=Lax cookies. JavaScript on the page cannot access your session token — it's entirely invisible to client-side code.
Your organization's data is siloed server-side. Tenant identity is derived from your authenticated session — never from a URL slug or client-supplied parameter.
Fine-grained permissions per module (Roster, Notes, Admin, etc.) with configurable access levels (None, View, Edit, Admin) per role. Admins control access without developer involvement.
All data is stored in Supabase Postgres and Storage, encrypted at rest, with production traffic delivered through Vercel's global edge network.
Admin actions (approvals, role changes) are logged with actor identity and timestamp. Audit records are retained for 180 days.
All traffic is encrypted in transit. We enforce HTTPS with HSTS headers. No plain-text HTTP endpoints exist anywhere in our stack.
Demo sessions expire after 60 minutes and are strictly read-only. Demo data contains no real PII. Rate limiting prevents abuse of the demo system.
Demo users cannot create, edit, delete, export, or invite. Every mutation endpoint checks session type server-side — there is no client-side bypass possible.
Security checks exist at multiple layers. Even if a UI control is bypassed, the server-side permission check will reject unauthorized requests.
New users start with minimum access and are upgraded by an admin. Leaders only see and do what their role allows — nothing more.
We do not sell, share, or use your student data for advertising. Your data is used solely to operate the StoryTrackr service.
Found a security issue? Email security@storytrackr.app. We'll respond within 48 hours and credit you if you'd like.