Trust & Security
How we protect students, staff, and district data — written for IT directors, CISOs, and procurement reviewers.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest on the database, backups, and file storage.
Strong authentication
Email + password with Have-I-Been-Pwned leaked-password check, Google SSO, and optional SAML SSO for districts.
District data isolation
District data isolation
Row-Level Security policies enforce that one district, school, or class can never read another's data. Verified by automated tests.
US hosting on SOC 2 infra
Hosted on Supabase / AWS us-east. Daily automated backups with up to 7-day point-in-time recovery.
Continuous monitoring
Dependency scanning + automated security review on every code change. Authentication and privileged actions are logged.
72-hour breach notice
If a confirmed incident affects district data, we notify the district within 72 hours and coordinate remediation.
What we do NOT do
- We do not sell, rent, or share student data with advertisers.
- We do not run behavioral ad-tracking pixels on student pages.
- We do not use student inputs to train third-party AI models.
- We do not collect SSNs, home addresses, biometrics, or geolocation.
Upstream certifications
Our infrastructure providers maintain independent third-party audits that we inherit:
- Supabase / AWS — SOC 2 Type II, ISO 27001, GDPR
- Resend — SOC 2 Type II
- Lovable (hosting/deployment) — SOC 2 Type II
Our own SOC 2 Type II audit is on the roadmap. Contact us for the current status letter.
Report a vulnerability
We welcome responsible disclosure. Please email
security@myfeelingsmatter.online
with steps to reproduce. We acknowledge within 2 business days.
