Security

Architecture

• HTTPS everywhere with HSTS; TLS 1.2+ only.
• Authentication via Clerk (SOC 2 Type II); JWTs verified server-side against rotating JWKS.
• Postgres on managed infrastructure with backups, encryption at rest, and per-environment isolation.
• OAuth tokens encrypted with AES-256-GCM using a per-environment encryption key.

Application controls

• Strict input validation — every API write rejects unknown fields (no silent persistence).
• Webhook idempotency — duplicate deliveries from Clerk/Stripe/GitHub are no-ops at the unique-constraint level.
• Audit log records sensitive operations (role changes, exports, deletion requests) with actor + IP.
• Sandbox isolation — student code runs in E2B containers, never in our application process.

Reporting

Found a vulnerability? Email admin@studysite.aiwith “Security” in the subject. We'll acknowledge within 2 business days and work with you on a coordinated disclosure timeline.