Limited Pilot Program · Currently invitation-only. Request Pilot Access

Security

Last updated: June 2026

StorylineIQ is built for K-12 districts. Security and privacy controls are not bolted on — they are the architecture.

Encryption

TLS 1.2+ in transit. AES-256 at rest (managed by AWS RDS via Supabase). Database backups encrypted with rotating keys.

Multi-tenant isolation

Postgres Row-Level Security on every table. Every query is scoped by district_id via SECURITY DEFINER helpers. Cross-tenant access is structurally impossible.

Authentication & MFA

Supabase Auth with email + password (and Google OAuth where enabled). District admins and school admins must enable TOTP MFA. Idle session timeout is district-configurable (default 30 min).

Audit logging

Append-only audit_events table records who viewed, created, edited, exported, or deleted student records, with timestamp, actor, and metadata. Logs retained per district policy (default 7 years).

AI privacy controls

Student names are deterministically redacted to placeholders before any AI gateway call. The model provider does not train on customer prompts or outputs. AI output is always a draft for educator review.

Incident response

On-call rotation, automated alerting on auth and rate-limit anomalies, 72-hour breach-notification commitment in the DPA.

Hosting

Application runtime on Cloudflare Workers (global edge). Database, auth, and storage on Supabase (AWS us-east-1).

Incident response

For details on detection, severity classification, customer notification timelines, and post-incident review, see our Incident Response Policy.

Vulnerability disclosure

Report security issues to security@storylineiq.com. We acknowledge within 2 business days.