Secure sessions
Browser sessions use backend-issued httpOnly cookies, CSRF protection for unsafe requests, and short-lived session renewal through protected refresh cookies.
AdaptLearn
Personalized AI tutoring
Security
Protecting learner trust is part of the product.
AdaptLearn is built to protect learner accounts, learning activity, and platform operations through layered technical controls and documented security processes.
Disclosure
Report security issues at [email protected].
Compliance
Controls are being organized around SOC 2 style security, availability, and confidentiality practices.
Status
This page describes current safeguards. It is not a certification claim.
Transport protection
AdaptLearn is served over HTTPS with HSTS enabled, and API traffic is restricted through explicit CORS allow-lists.
Platform hardening
Production responses include security headers for clickjacking protection, MIME sniffing prevention, referrer control, permissions restrictions, and content security policy enforcement.
Operational monitoring
Backend requests include traceable request identifiers, structured logs, deployment smoke tests, and alerting paths for operational failures.
Vulnerability management
Dependencies are monitored through Dependabot, npm audit, Go vulnerability scanning, and CodeQL SARIF artifacts in CI.
Data minimization
Learner data is used for account access, learning personalization, billing, support, safety, and compliance purposes described in the privacy notice.
Operating Practices
Security controls that support day-to-day operations.
These practices are intended to reduce account abuse, protect learner data, and create useful audit evidence as AdaptLearn matures.
- Role-based access for learner, team, and admin surfaces.
- Email verification before learner access to lessons.
- Payment webhook signature checks and transaction verification before subscription activation.
- Audit-ready documentation for incident response, access reviews, vulnerability handling, and change management.
- Sensitive production secrets managed outside the browser application and excluded from public artifacts.
- Responsible disclosure contact published through security.txt.
Responsible Disclosure
How to report a vulnerability.
If you believe you have found a security issue, email [email protected] with a clear description, affected URL or endpoint, reproduction steps, and any relevant screenshots or logs.
Please avoid accessing, modifying, deleting, or exfiltrating data that does not belong to you. Do not perform disruptive testing such as denial-of-service, spam, credential stuffing, or destructive scanning.
We aim to acknowledge credible reports promptly, investigate with care, and communicate remediation status where appropriate.