Last updated: 2026-05-08
All traffic is encrypted in transit with TLS 1.2+. Document storage uses AWS S3 server-side encryption (SSE-S3). Database backups are encrypted at rest.
We use signed magic-link authentication by default — no passwords to leak. Sessions are bound to a per-user signing key with a strict expiration window.
Roles inside Levelbrook (admin, staff, parent-portal) are enforced server-side. Every API call goes through our session middleware and a token-bucket rate limiter.
Content is stored in AWS us-east-1. Audit logs are written to a separate, append-only bucket so deletion of operational data does not erase the audit trail.
Email [email protected]. We acknowledge within one business day and work directly with researchers on responsible disclosure.