Information Security Policy
Last updated: March 2026
Purpose
This policy establishes the information security requirements for Teacher's Buddy to protect the confidentiality, integrity, and availability of data entrusted to us by educators, schools, and publishers.
Data Classification
| Classification | Description | Examples |
|---|---|---|
| Public | Information intended for public access | Marketing content, published resources |
| Internal | Information for team use only | Architecture docs, team communications |
| Confidential | Sensitive information requiring protection | User PII, organisation data, API keys |
| Restricted | Highly sensitive information | Production credentials, encryption keys |
Access Control
- All production systems require multi-factor authentication.
- Access follows the principle of least privilege. Team members are granted the minimum permissions necessary for their role.
- User-facing access is role-based at organisation and workspace levels (Owner, Admin, Member), enforced server-side.
- System admin operations require WebAuthn/passkey MFA elevation.
- Access reviews are conducted when team members join or leave.
Authentication
Teacher's Buddy uses passwordless authentication exclusively: OAuth (Google, Microsoft, Apple), magic links (15-minute expiry), and email OTP (6-digit, 10-minute expiry, 5 attempts max). No passwords are stored or transmitted.
Session tokens are 64 bytes of cryptographically secure randomness, stored as HTTP-only cookies with SameSite and Secure flags. Sessions expire after 7 days with daily refresh.
Encryption
- In transit: TLS 1.2+ enforced via HSTS with preload and upgrade-insecure-requests.
- At rest: PlanetScale (AES-256, SOC 2 Type II), Cloudflare R2 (AES-256), Vercel (encrypted deployments).
- Webhook payloads are verified using HMAC-SHA256 signatures.
Application Security
- Input validation using Zod schemas on all API endpoints.
- Output sanitisation using DOMPurify for all user-generated HTML.
- Content-Security-Policy headers enforced across all applications.
- Rate limiting on authentication and generation endpoints.
- Security-focused code reviews on all changes.
- Internal security audits covering 14 domains conducted regularly.
- External penetration testing conducted annually.
- Dependency vulnerability scanning with prompt remediation.
Infrastructure Security
- All applications hosted on managed cloud platforms with automatic security patching.
- Databases hosted on managed platforms with no public endpoints.
- File storage on Cloudflare R2 with presigned URL access (1-hour expiry).
- Security headers enforced: HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy.
Monitoring
- Sentry for real-time error tracking.
- Axiom for structured application logging.
- PostHog for behavioural analytics (anonymised).
- LangSmith for AI operation observability.
Review
This policy is reviewed annually and updated in response to significant platform changes, security incidents, or changes in the threat landscape.
Contact
Questions about our security practices? Contact privacy@teachersbuddy.com