Security Questionnaire

Yes. All data at rest is encrypted using AES-256 via Supabase's encryption-at-rest. Database backups are encrypted with the same standard.

Yes. All traffic uses TLS 1.3. HTTPS is enforced via HSTS. Internal service-to-service communication uses TLS where available.

Encryption keys are managed by the cloud provider (Supabase/RDS). Application-level secrets (JWT signing keys, API keys) are stored as environment variables, never in code. One-time login codes used for two-factor authentication are bcrypt-hashed before storage with a 10-minute TTL.

Yes. Screenshots: 90 days. Phone camera frames: 24 hours. Violation logs: 1 year. Exam answers: duration of account. See Privacy Policy for full details.

Production access requires SSH key authentication. Only the deployment pipeline (GitHub Actions) and designated admins have access. No passwords are accepted for SSH. Database access is restricted to the application service account.

Yes. Email-based two-factor authentication is available for all teacher accounts. When enabled, every sign-in requires a 6-digit code delivered to the user's verified email address (10-minute TTL, bcrypt-hashed in storage). We strongly recommend enabling it via the Security tab in the dashboard.

API keys are hashed (SHA-256) before storage. The raw key is shown once at creation. Keys can be revoked individually via the dashboard. Rate limiting is applied per key.

Yes. All code changes go through pull request review with required approvals before merging to main.

Yes. Each push runs the full test suite (482+ tests), AST-based syntax checks, and dependency scanning (npm audit, pip check).

Python dependencies are pinned in requirements.lock (generated via pip-compile). Node dependencies are pinned in package-lock.json. Both are audited on every build.

Yes. All API endpoints have rate limits (typically 5-60 requests/minute depending on sensitivity).

Application: DigitalOcean (Mumbai, India — BLR1 region). Database: Supabase (AWS, ap-south-1). Redis: co-located with the application on the same droplet.

Yes. Daily encrypted backups to Backblaze B2. Container images are stored in GitHub Container Registry. Deployment is fully automated via GitHub Actions — a new droplet can be provisioned in under 30 minutes.

Incidents are logged and escalated via Sentry (error tracking) and PagerDuty-style on-call rotation. Critical alerts (sustained error rate >5%, authentication anomalies) trigger immediate notification.

Not currently. We follow SOC 2 control framework but have not undergone a formal audit. A SOC 2 report is planned for Q3 2026.

Yes. We provide: data subject rights (access, correction, deletion, portability), consent recording, data retention schedules, breach notification, and a DPA template.

Yes. As a data processor, we support our customers' GDPR compliance through DPAs, data deletion, data export, and sub-processor disclosure.

Yes. A standard DPA template is available at /dpa. Custom DPAs can be requested from legal@procta.net.

No. AI grading uses a zero-shot prompt approach — the model never stores or trains on student answers. Prompts include the question, reference answer, and student answer only for that request, and are discarded after the response.

Yes. All AI-generated flags and grade suggestions are recommendations, not verdicts. Teachers must review and confirm before they become part of the gradebook.

Groq (Llama 3.3 70B) for grading. Providers are configurable via environment variables — customers can point to their own OpenAI-compatible endpoint.