Last updated: May 2026

Security

Our Security Commitment

Security is fundamental to everything we do at netschool. We are committed to protecting your data and maintaining the trust you place in us. This document outlines our actual security practices and technical implementations.

Authentication Security

We implement multiple authentication methods with industry-standard security:

• Password Hashing: Bcrypt with 12 rounds for all password storage
• Email-Based Login: 6-digit one-time codes with time-based expiration
• JWT Tokens: Secure token-based session management with proper expiration
• Password Reset: Secure token-based password reset via email
• Email Verification: Email verification status tracking for account security

Role-Based Access Control

Access to the platform is controlled through a role-based permission system:

• Superadmin: Full system access across all schools
• Admin: Full administrative access within their assigned school, including user impersonation
• Teacher: Access to assigned classes, grading tools, and student management
• Guardian: Access to their assigned children's information
• Student: Access to their own academic records and resources

Admin impersonation capabilities are logged and audited for support purposes. All role checks are enforced at the service layer to prevent unauthorized access.

Data Encryption

We protect data both in transit and at rest:

• In Transit: TLS 1.3 for all HTTPS connections
• At Rest: Encrypted storage in PostgreSQL database
• Media Files: Content hashing for file integrity and deduplication
• Passwords: Bcrypt hashing (12 rounds) with automatic truncation to bcrypt limits

Application Architecture

Our backend follows a layered security architecture:

• API Layer: HTTP endpoints with dependency injection for authentication
• Service Layer: Authorization and high-level validation rules
• Repository Layer: Data access logic with ORM/SQL abstraction
• Schema Layer: Pydantic models for input/output validation

This separation ensures that database queries are isolated from HTTP logic and authorization checks are consistently applied.

Technology Stack Security

Our platform uses modern, secure technologies:

• Backend: FastAPI with automatic OpenAPI documentation
• Database: PostgreSQL with secure connection handling
• Caching: Redis for session and data caching
• Frontend: SvelteKit with secure client-side routing

Deployment Security

We use a Docker-first deployment approach for consistency across environments:

• Containerization: Docker images with minimal attack surface
• Platform: Fly.io for production hosting with built-in security features
• Environment Variables: Sensitive configuration via environment variables (JWT_SECRET_KEY, DATABASE_URL, REDIS_URL)
• Health Checks: Automated health monitoring for service availability

Notification Security

We use secure notification delivery methods:

• Email: Resend API for transactional emails
• Mobile Push: Firebase Cloud Messaging (FCM) with secure token management
• Web Push: VAPID keys for browser push notifications
• Push Subscriptions: Secure subscription management for web push endpoints

File Upload Security

Media file uploads are handled with security measures:

• Content Hashing: SHA-256 hashing for file integrity and deduplication
• Storage: Cloudflare R2 for secure object storage
• Access Control: Signed URLs for temporary access to uploaded files
• File Registration: Centralized file registration to prevent unauthorized access

Session Management

Session security is implemented through:

• JWT Tokens: Stateless token-based authentication
• Cookie Security: Secure, HTTP-only cookies for token storage
• Session Expiration: Configurable token lifetimes
• Logout: Secure token invalidation on logout

Infrastructure Security

Our infrastructure is designed with security at every layer:

• Network Isolation: Separated database and cache services
• Firewall Rules: Restricted access between services
• Regular Updates: Automated security patches for dependencies
• Backup Security: Encrypted backups with secure retention policies

Third-Party Integration Security

Some features rely on optional connections to external providers. We secure these integrations as follows:

• Meta (Growth Dashboard): Connecting a Meta advertising account uses OAuth-based authorization with scoped permissions; we request only the access needed to run and measure enrollment campaigns
• Token Storage: Access tokens for connected integrations are stored encrypted and are never exposed to the browser
• Admin-Only: Integration connection and disconnection is restricted to school administrators, and access can be revoked at any time
• Scoped Access: Integration data is isolated per school and protected by the same role-based access controls as the rest of the platform

User Security Best Practices

While we implement robust security measures, users also play a critical role in maintaining security:

• Use strong, unique passwords for your account
• Enable email-based login codes as an alternative to passwords
• Keep your email account secure (used for password reset and login codes)
• Report suspicious activity to your school administrator
• Never share your account credentials with others

Security Updates

We continuously improve our security posture through:

• Regular dependency updates and security patches
• Monitoring for security advisories in our technology stack
• Code reviews with security considerations
• This document will be updated to reflect significant changes to our security practices