Legal

Security

This page is maintained by the StudyPod team to answer common security questions about the platform. It reflects current, in-product practices — not a certification.

Data in transit and at rest

All traffic to and from StudyPod is encrypted with TLS 1.2 or higher. Uploaded files and derived content are stored encrypted at rest with AES-256 on our managed database and object storage.

Authentication

StudyPod supports email + password (with strong hashing) and Google sign-in. Sessions use short-lived access tokens with rotating refresh tokens. We block credential-stuffing patterns and rate-limit sign-in attempts per IP and per account.

Access controls

Only your account can read your StudyPods. On the school and district plan, teachers see only their assigned classes, and district admins see aggregated mastery — not individual chat transcripts — unless explicitly authorized. Internally, engineer access to production data is restricted to a small on-call rotation and audited.

Infrastructure

StudyPod runs on serverless infrastructure hosted in US regions. Backups are taken daily and retained for 30 days. We can restore to any point in that window.

AI and third-party models

We route AI requests through the Lovable AI Gateway. Prompts and completions are used only to serve your request — not to train foundation models. We keep audit logs of AI calls tied to your account for 90 days for abuse investigation.

Responsible disclosure

If you believe you've found a security issue, please report it to security@studypod.app (PGP key available on request). We'll acknowledge within one business day and keep you updated as we investigate. We commit not to pursue legal action against researchers who make a good-faith effort to follow this policy.

Sub-processors and shared responsibility

StudyPod is built on top of managed cloud infrastructure. Some security controls are ours (application code, access policies, audit logs). Others are our vendors' (physical data-center security, hypervisor isolation). We list our sub-processors on the Trust page.