Short-form trust, security, retention, and reporting assets for procurement, sales decks, and institutional review. Updated May 2026.
Checks API, Supabase, disk, storage write, Redis, worker heartbeat, and email configuration.
Authenticated operators see queue depth, failed jobs, active sessions, failed submits, release version, and service checks.
Local and CI gates run tests, dependency audits, dashboard build, Docker config validation, and security scans.
| Area | Control |
|---|---|
| Authentication | Email verification, email-based two-factor authentication, suspicious-login alerts, lockout after failed attempts. |
| Application security | CSRF on JWT-authenticated mutations, per-route rate limits, strict Pydantic validation, CSP headers, dependency audits. |
| Data protection | TLS in transit, encrypted database/storage at rest, hashed one-time login codes (bcrypt), hashed API keys, least-privilege service keys. |
| AI governance | AI grades and proctoring flags are recommendations. Teachers review evidence before final decisions. |
| Operations | Sentry integration, structured JSON logs, RQ background workers, health checks, Docker Compose deployment, rollback runbook. |
| Data | Default Retention | Notes |
|---|---|---|
| Exam screenshots | 90 days | Cleanup job documented in deploy runbook. |
| Phone camera frames | 24 hours | Ephemeral live-review evidence. |
| Violation logs and audit trails | 1 year | Used for appeals, institutional review, and incident reconstruction. |
| Exam answers and scores | Account duration | Exportable and deletable through privacy workflows. |
| LTI learner records | LMS-managed | LMS remains the source of truth for learner identity and roster data. |
The public sample scorecard shows the evidence format institutions receive: identity summary, score, timeline, detection confidence, human-review notes, and appeal-ready audit language.
Public sales material should use verifiable operational claims only. Do not use institution-count claims unless the source list and permission status are documented.