Security

    How we protect your data

    We won't claim certifications we don't have. Instead, here is exactly how Bevinzey is built and what controls protect your information today.

    Encryption in Transit & at Rest

    All traffic is served over TLS 1.3. Data at rest is encrypted with AES-256 by our managed cloud infrastructure provider.

    Row-Level Security on Every Table

    Postgres Row-Level Security (RLS) policies enforce per-user data isolation at the database layer β€” not just in the app β€” so a misbehaving query can't leak another user's data.

    Role-Based Access Control

    Roles (student, educator, learning specialist, institution admin, admin) are stored in a dedicated table and checked via security-definer functions to prevent privilege escalation.

    Managed, Monitored Infrastructure

    We run on enterprise-grade managed cloud infrastructure with automated backups, isolated environments, and platform-level intrusion detection.

    Auditable AI Outputs

    Every AI summary, flashcard, and answer is generated from sources you upload. You can trace outputs back to their inputs β€” nothing is invented from a hidden corpus of student data.

    Your Data, Your Control

    You can export your study materials, summaries, flashcards, and account data from Settings at any time. You can also permanently delete your account and associated data on request.

    The details

    1

    Encryption

    Data in transit uses TLS 1.3. Data at rest, including backups, is encrypted with AES-256 by our managed cloud provider.

    2

    Authentication & access

    Passwords are hashed using industry-standard algorithms and never stored in plain text. Sessions use short-lived JWTs. Roles are checked via security-definer functions to avoid privilege escalation, and Row-Level Security isolates each user's data at the database layer.

    3

    AI providers and your content

    AI features are powered by upstream providers (e.g. Google Gemini, OpenAI, Anthropic) under their data-processing terms. Your content is sent only when you trigger an AI action, is not used to train our models, and we never sell user data.

    4

    Portability and deletion

    You can export your study materials, summaries, flashcards, and account data at any time from Settings. You can also request permanent deletion of your account and associated data β€” we'll act on the request within a reasonable timeframe.

    On the roadmap

    We're building toward formal compliance programs and will publish reports here as we complete them. Until those programs are finished, we won't display badges that don't reflect what we've actually done.

    • SOC 2 Type II readiness assessment
    • FERPA Data Processing Agreement template for institutions
    • GDPR Data Subject Access Request (DSAR) self-service portal
    • Third-party penetration test

    If your institution has specific compliance requirements, contact us β€” we're happy to discuss what's in place today and where we are on the roadmap.

    Questions or vulnerability reports

    We take security reports seriously. If you've discovered a vulnerability or have a security question, get in touch and we'll respond promptly.

    Contact us at security@bevinzey.com