Security Policy
How we protect your data with enterprise-grade security practices and transparent incident response procedures.
Last Security Scan: November 6, 2025
Our systems undergo regular automated security scans and manual penetration testing to ensure continuous protection.
Enterprise-grade security from the ground up
Encryption
- • All data encrypted in transit using TLS 1.3
- • All data encrypted at rest using AES-256
- • Database-level encryption via Supabase
- • Secure key management with automatic rotation
Row Level Security (RLS)
- • Students can only access their own data
- • Teachers require principal approval to view student data
- • School staff can only see students from their school
- • Database-level enforcement of access rules
Audit Logging
- • All data access by teachers/principals is logged
- • Payment transactions are fully auditable
- • GDPR data requests are tracked
- • Logs retained for compliance and incident investigation
Protecting against common web vulnerabilities
XSS Prevention: All user input is sanitized and validated
CSRF Protection: Tokens and SameSite cookies prevent cross-site attacks
SQL Injection Prevention: Parameterized queries and ORM protection
Rate Limiting: Protection against brute force and DoS attacks
Content Security Policy: Strict CSP headers prevent code injection
Secure Authentication: Industry-standard JWT with secure session management
PCI DSS compliant payment processing
Stripe Integration: All payments processed by Stripe, a PCI DSS Level 1 certified provider
No Card Storage: We never store your credit card information on our servers
Secure Webhooks: Payment confirmations verified with cryptographic signatures
Transaction Logging: All payment events are audited for compliance and dispute resolution
Security Incident Response
How we handle security incidents
Incident Detection & Monitoring
We maintain 24/7 automated monitoring for suspicious activity, failed login attempts, unusual data access patterns, and system anomalies.
Response Procedure
- Immediate incident containment and threat neutralization
- Forensic analysis to determine scope and impact
- User notification within 72 hours if personal data is affected (GDPR requirement)
- Remediation and security improvements
- Post-incident review and documentation
Data Breach Notification
In the unlikely event of a data breach affecting your personal information:
- • You will be notified via email within 72 hours
- • We will report to the Irish Data Protection Commission
- • Clear guidance on protective actions will be provided
- • Free identity monitoring may be offered if appropriate
Report a Security Vulnerability
Help us maintain security by reporting issues responsibly
If you discover a security vulnerability in CourseCompass, please report it to us responsibly:
Security Team
Email: info@coursecompass.ie
Please include: description of the vulnerability, steps to reproduce, potential impact, and your contact information.
We commit to acknowledging vulnerability reports within 48 hours and providing updates on remediation progress.
Report Security Issue