Security Overview
Factual summary of how SpEd Coach Master is built and operated.
Last updated June 2026
Application architecture
SpEd Coach Master runs as a server-rendered web application on managed edge infrastructure. The database is a managed Postgres instance with row-level security enabled on all user-facing tables.
Access control
- All organization data is scoped by row-level security policies.
- Platform administrator routes are gated server-side, not only in the UI.
- Service-role database access is restricted to trusted server functions.
Launch token lifecycle
- Tokens are generated server-side, bound to user, module, and organization.
- Tokens are short-lived and single-use.
- Pre-launch checks verify the organization is active, the module is enabled, and the user has access.
- All launch attempts (success and failure) are logged.
Webhook & integration security
- Outbound webhook URLs are validated; loopback, private-range, and link-local addresses are blocked (IPv4 and IPv6).
- Webhook test requests are rate-limited per user.
AI governance
- AI use is opt-in at organization and module scope.
- Per-organization usage limits are tracked.
- AI calls are logged for administrator visibility.
Reporting a security issue
Suspected vulnerabilities can be reported through the Support page. We will acknowledge receipt and coordinate remediation. Please do not publicly disclose issues before we have had a reasonable opportunity to investigate.