Last Updated: June 1, 2026
Sukrat AI is committed to protecting student data and maintaining the security of the platform. This page describes the specific technical and organizational measures we use.
1. Encryption
1.1 Encryption in Transit
TLS 1.2+ is enforced across all endpoints — the Sukrat web app, backend API, and all connections to infrastructure services. There are no unencrypted paths to student data.
1.2 Encryption at Rest
All student data is encrypted at rest using AES-256, managed by Supabase (EU region) and DigitalOcean. Object storage (uploaded course materials) uses DigitalOcean Spaces with server-side encryption.
2. Data Isolation (Tenant Security)
Sukrat uses Supabase Row-Level Security (RLS) to enforce strict data isolation:
- No student can access another student's data — this is enforced at the database level, not just the application layer
- School administrator access is scoped to their own institution's students only
- No school can access another school's student data
3. Authentication and Account Security
- Authentication is handled by Supabase Auth with secure session tokens; passwords are never stored in plaintext
- Production database access requires multi-factor authentication and is restricted to named team members with a documented legitimate need
- Session tokens are refreshed automatically and expire on inactivity
- CSRF protection is enforced on all state-changing requests
4. Infrastructure Security
Sukrat's infrastructure is built on providers with independent security certifications:
- Supabase (EU region) — database, authentication, and RLS enforcement; SOC 2 Type II certified
- DigitalOcean — API hosting and object storage; SOC 2 Type II certified
- Vercel — frontend hosting; SOC 2 Type II certified
- Cloudflare — CDN, DDoS protection, and Web Application Firewall (WAF); ISO 27001 certified
5. No PII in Development or Staging
Student personally identifiable data is never accessible in development or staging environments. Test and development environments use synthetic data only.
6. AI Provider Security
No student PII is included in prompts sent to external AI providers. Prompts contain only anonymized curriculum content (question text, syllabus reference, mastery state for the relevant topic). See our AI Usage Policy for the full No-PII LLM Policy.
7. Monitoring and Threat Detection
- Application errors are captured by Sentry, with PII scrubbed before transmission
- Cloudflare WAF monitors and blocks malicious traffic at the network edge
- Supabase infrastructure monitoring detects anomalous database access patterns
- Sukrat team reviews security alerts and responds to detected incidents promptly
8. Breach Response
If a confirmed security breach affects student personal data, Sukrat will:
- Notify affected schools within 72 hours of confirmation
- Notify affected individual users where required by law
- Provide a description of the incident, data affected, and remediation steps taken
For details on our incident response process, see the Security Incident Response Policy.
9. Vulnerability Disclosure
If you believe you have discovered a security vulnerability in the Sukrat platform, please report it responsibly to security@sukrat.ai. Do not exploit or publicly disclose the vulnerability before giving us a reasonable opportunity to respond.
10. User Responsibilities
Platform security is a shared responsibility. You can help by:
- Using a strong, unique password for your Sukrat account
- Not sharing your account credentials
- Logging out of shared devices after use
- Notifying us immediately at security@sukrat.ai if you suspect unauthorized access to your account
11. Limitations
No system is completely immune to security incidents. While we implement the measures described above, we cannot guarantee absolute security. We continuously improve our security posture and respond to the evolving threat landscape.
Last Modified: June 1, 2026
Version: 2.0