Security Overview
A factual summary of how SpEd Coach is built, hosted, and operated.
Last updated July 2026
SpEd Coach is built for the specific demands of special education data - sensitive student records, compliance-critical documentation, and workflows that require both access control and audit visibility. This page describes the security architecture and practices currently in place.
Platform Architecture
SpEd Coach runs as a web application on managed edge infrastructure hosted by Cloudflare. The database is a managed PostgreSQL instance provided by Supabase, with row-level security enabled on all user-facing tables. No organization's data is visible to another organization at any layer of the stack.
Encryption
- ✓ Data in transit: Encrypted using TLS 1.2 or higher for all connections
- ✓ Data at rest: Encrypted using AES-256 by the managed infrastructure provider
- ✓ Uploaded documents: Stored in access-controlled object storage (not publicly accessible)
- ✓ Passwords: Hashed; plaintext credentials are never stored
Access Control and Tenant Separation
- ✓ All organization data is scoped by row-level security policies enforced at the database layer - not only in the UI
- ✓ Platform administrator routes are gated server-side
- ✓ Service-role database access is restricted to trusted server functions
- ✓ Each organization operates in an isolated workspace; cross-organization data access is architecturally prevented
Authentication and Launch Tokens
- Authenticated sessions are required to access any organization data
- Short-lived, single-use launch tokens are generated server-side for each module access event
- Tokens are bound to the specific user, module, and organization at generation time
- Pre-launch checks verify organization status, module enablement, and user permissions before any token is issued
- All launch attempts - success and failure - are logged
Secure File Storage
- Uploaded educational documents are transmitted over TLS and stored in access-controlled storage
- Document URLs are not publicly accessible; access requires authentication and role verification
- Document access is scoped to the student and organization that owns the record
Webhook and Integration Security
- Outbound webhook URLs are validated; loopback, private-range, and link-local addresses are blocked (IPv4 and IPv6)
- Webhook test requests are rate-limited per user
AI Governance
- AI features are opt-in at the organization and per-module level
- Per-organization AI usage limits are tracked and visible to administrators
- All AI invocations are logged for administrator review
- Content passes through a PII-scanning pipeline before reaching external AI model providers
Audit Logging
SpEd Coach maintains audit logs covering:
- Authentication events (logins, failures, session events)
- Administrator actions (role changes, member management, configuration updates)
- Module launches and access events
- AI invocation events and usage counts
- Document access, upload, and export events
Monitoring and Operational Visibility
SpEd Coach uses infrastructure-level monitoring provided by Supabase and Cloudflare for uptime, error rate, and operational health. Internal alerts are configured for anomalous activity patterns.
Backup and Recovery
Managed infrastructure providers (Supabase) maintain automated backups for disaster recovery purposes. Backups are not exposed as customer-facing point-in-time restores. In the event of a catastrophic failure, recovery procedures are designed to restore the platform from backup within a reasonable timeframe.
Incident Response
We maintain documented incident response procedures covering identification, investigation, containment, remediation, and organizational notification. In the event of a confirmed security incident affecting customer data, affected organizations will be notified consistent with applicable legal obligations and operational policies.
SOC 2 Readiness
SpEd Coach is not currently SOC 2 certified. We are following a staged readiness roadmap: baseline security controls are implemented; formal policy documentation, vendor management, and incident response procedures are being formalized; SOC 2 Type I preparation is planned. See the Trust Center for the full roadmap.
Reporting a Security Issue
Security vulnerabilities may be reported to support@spedcoach.com. We will acknowledge receipt within two business days and coordinate remediation. Please practice responsible disclosure - do not publicly disclose vulnerability details before we have had a reasonable opportunity to investigate and respond.
