Security First

Security Policy

How we protect your data with enterprise-grade security practices and transparent incident response procedures.

Last Security Scan: November 6, 2025

Our systems undergo regular automated security scans and manual penetration testing to ensure continuous protection.

Infrastructure Security
Enterprise-grade security from the ground up

Encryption

  • • All data encrypted in transit using TLS 1.3
  • • All data encrypted at rest using AES-256
  • • Database-level encryption via Supabase
  • • Secure key management with automatic rotation

Row Level Security (RLS)

  • • Students can only access their own data
  • • Teachers require principal approval to view student data
  • • School staff can only see students from their school
  • • Database-level enforcement of access rules

Audit Logging

  • • All data access by teachers/principals is logged
  • • Payment transactions are fully auditable
  • • GDPR data requests are tracked
  • • Logs retained for compliance and incident investigation
Application Security
Protecting against common web vulnerabilities
  • XSS Prevention: All user input is sanitized and validated
  • CSRF Protection: Tokens and SameSite cookies prevent cross-site attacks
  • SQL Injection Prevention: Parameterized queries and ORM protection
  • Rate Limiting: Protection against brute force and DoS attacks
  • Content Security Policy: Strict CSP headers prevent code injection
  • Secure Authentication: Industry-standard JWT with secure session management
Payment Security
PCI DSS compliant payment processing
  • Stripe Integration: All payments processed by Stripe, a PCI DSS Level 1 certified provider
  • No Card Storage: We never store your credit card information on our servers
  • Secure Webhooks: Payment confirmations verified with cryptographic signatures
  • Transaction Logging: All payment events are audited for compliance and dispute resolution
Security Incident Response
How we handle security incidents

Incident Detection & Monitoring

We maintain 24/7 automated monitoring for suspicious activity, failed login attempts, unusual data access patterns, and system anomalies.

Response Procedure

  1. Immediate incident containment and threat neutralization
  2. Forensic analysis to determine scope and impact
  3. User notification within 72 hours if personal data is affected (GDPR requirement)
  4. Remediation and security improvements
  5. Post-incident review and documentation

Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

  • • You will be notified via email within 72 hours
  • • We will report to the Irish Data Protection Commission
  • • Clear guidance on protective actions will be provided
  • • Free identity monitoring may be offered if appropriate
Report a Security Vulnerability
Help us maintain security by reporting issues responsibly

If you discover a security vulnerability in CourseCompass, please report it to us responsibly:

Security Team

Email: info@coursecompass.ie

Please include: description of the vulnerability, steps to reproduce, potential impact, and your contact information.

We commit to acknowledging vulnerability reports within 48 hours and providing updates on remediation progress.

Report Security Issue
Compliance & Standards
  • GDPR
    General Data Protection Regulation compliant
  • DPA 2018
    Irish Data Protection Act 2018 compliant
  • Circular 0035/2017
    Irish educational data protection guidelines
  • PCI DSS
    Payment security via Stripe (Level 1 certified)