StorylineIQ is built for K-12 districts. Security and privacy controls are not bolted on — they are the architecture.
Encryption
TLS 1.2+ in transit. AES-256 at rest (managed by AWS RDS via Supabase). Database backups encrypted with rotating keys.
Multi-tenant isolation
Postgres Row-Level Security on every table. Every query is scoped by district_id via SECURITY DEFINER helpers. Cross-tenant access is structurally impossible.
Authentication & MFA
Supabase Auth with email + password (and Google OAuth where enabled). District admins and school admins must enable TOTP MFA. Idle session timeout is district-configurable (default 30 min).
Audit logging
Append-only audit_events table records who viewed, created, edited, exported, or deleted student records, with timestamp, actor, and metadata. Logs retained per district policy (default 7 years).
AI privacy controls
Student names are deterministically redacted to placeholders before any AI gateway call. The model provider does not train on customer prompts or outputs. AI output is always a draft for educator review.
Incident response
On-call rotation, automated alerting on auth and rate-limit anomalies, 72-hour breach-notification commitment in the DPA.
Hosting
Application runtime on Cloudflare Workers (global edge). Database, auth, and storage on Supabase (AWS us-east-1).
Incident response
For details on detection, severity classification, customer notification timelines, and post-incident review, see our Incident Response Policy.
Vulnerability disclosure
Report security issues to security@storylineiq.com. We acknowledge within 2 business days.
