Security and Data Protection

How Sukrat protects your data and maintains platform security

Last Updated: June 1, 2026

Sukrat AI is committed to protecting student data and maintaining the security of the platform. This page describes the specific technical and organizational measures we use.

1. Encryption

1.1 Encryption in Transit

TLS 1.2+ is enforced across all endpoints — the Sukrat web app, backend API, and all connections to infrastructure services. There are no unencrypted paths to student data.

1.2 Encryption at Rest

All student data is encrypted at rest using AES-256, managed by Supabase (EU region) and DigitalOcean. Object storage (uploaded course materials) uses DigitalOcean Spaces with server-side encryption.

2. Data Isolation (Tenant Security)

Sukrat uses Supabase Row-Level Security (RLS) to enforce strict data isolation:

  • No student can access another student's data — this is enforced at the database level, not just the application layer
  • School administrator access is scoped to their own institution's students only
  • No school can access another school's student data

3. Authentication and Account Security

  • Authentication is handled by Supabase Auth with secure session tokens; passwords are never stored in plaintext
  • Production database access requires multi-factor authentication and is restricted to named team members with a documented legitimate need
  • Session tokens are refreshed automatically and expire on inactivity
  • CSRF protection is enforced on all state-changing requests

4. Infrastructure Security

Sukrat's infrastructure is built on providers with independent security certifications:

  • Supabase (EU region) — database, authentication, and RLS enforcement; SOC 2 Type II certified
  • DigitalOcean — API hosting and object storage; SOC 2 Type II certified
  • Vercel — frontend hosting; SOC 2 Type II certified
  • Cloudflare — CDN, DDoS protection, and Web Application Firewall (WAF); ISO 27001 certified

5. No PII in Development or Staging

Student personally identifiable data is never accessible in development or staging environments. Test and development environments use synthetic data only.

6. AI Provider Security

No student PII is included in prompts sent to external AI providers. Prompts contain only anonymized curriculum content (question text, syllabus reference, mastery state for the relevant topic). See our AI Usage Policy for the full No-PII LLM Policy.

7. Monitoring and Threat Detection

  • Application errors are captured by Sentry, with PII scrubbed before transmission
  • Cloudflare WAF monitors and blocks malicious traffic at the network edge
  • Supabase infrastructure monitoring detects anomalous database access patterns
  • Sukrat team reviews security alerts and responds to detected incidents promptly

8. Breach Response

If a confirmed security breach affects student personal data, Sukrat will:

  • Notify affected schools within 72 hours of confirmation
  • Notify affected individual users where required by law
  • Provide a description of the incident, data affected, and remediation steps taken

For details on our incident response process, see the Security Incident Response Policy.

9. Vulnerability Disclosure

If you believe you have discovered a security vulnerability in the Sukrat platform, please report it responsibly to security@sukrat.ai. Do not exploit or publicly disclose the vulnerability before giving us a reasonable opportunity to respond.

10. User Responsibilities

Platform security is a shared responsibility. You can help by:

  • Using a strong, unique password for your Sukrat account
  • Not sharing your account credentials
  • Logging out of shared devices after use
  • Notifying us immediately at security@sukrat.ai if you suspect unauthorized access to your account

11. Limitations

No system is completely immune to security incidents. While we implement the measures described above, we cannot guarantee absolute security. We continuously improve our security posture and respond to the evolving threat landscape.

Last Modified: June 1, 2026

Version: 2.0