SOC 2 Compliance

School-Core's commitment to SOC 2 Type II controls.

Effective May 1, 2026 · v1.0 — June 2026

SOC 2 Trust Service Criteria

School-Core's security controls mapped to the AICPA SOC 2 framework. 30 of 30 controls implemented. Our security program is designed in alignment with the AICPA's Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, plus ISO/IEC 27001 and the NIST Cybersecurity Framework.

Security

10 of 10 controls implemented.

  • Role-based access control (RBAC) — comprehensive role catalog with three-layer permission resolution and a custom-role mechanism for tenant-defined permission sets
  • Multi-factor authentication (MFA) — TOTP + one-time backup codes; required for administrative roles
  • Encryption at rest — AES-256 provider-managed, with additional application-level AES-256-GCM on sensitive fields (MFA secrets, OAuth refresh tokens)
  • Encryption in transit — TLS 1.2+ enforced, HSTS in force
  • Rate limiting — applied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed store
  • XSS prevention — server-side HTML sanitization on user-generated content; restrictive Content Security Policy headers
  • SQL injection prevention — parameterized queries via ORM
  • Session management — encrypted, server-issued, periodically rotated tokens; HttpOnly cookies; per-device revocation
  • Password security — irreversible bcrypt at industry-recommended cost; tenant-configurable complexity policy
  • Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy applied on every response

Availability

5 of 5 controls implemented.

  • Cloud infrastructure — Vercel (SOC 2) + Supabase (SOC 2) + Cloudflare R2 (SOC 2)
  • Automated database backups — Point-in-time recovery via Supabase
  • Error monitoring — Sentry real-time alerting
  • Edge delivery — Vercel global CDN for low-latency access
  • Incident response plan — Documented 6-phase plan with 72-hour notification

Confidentiality

5 of 5 controls implemented.

  • Multi-tenant data isolation — 8,000+ tenantId references in queries, CASCADE deletes, no cross-tenant access
  • Audit logging — Login (success+failure), logout, OAuth link/unlink, user CRUD, file/folder mutations, billing events, Stripe webhooks, HR records — all logged with IP, user agent, oldValues/newValues diff. Typed AuditAction catalog (95+ entries) prevents string drift
  • Principle of least privilege — Users access only data required for their role
  • Data classification — Student PII, health records, and financial data identified and protected
  • Sub-processor management — DPAs with all 8 vendors, public registry maintained

Processing Integrity

4 of 4 controls implemented.

  • Input validation — Zod schemas on all API inputs (34 validator modules)
  • Data integrity checks — Prisma foreign key constraints, unique constraints
  • Automated testing — Type checking on all files
  • Change management — Git-based version control, PR reviews, CI/CD pipeline

Privacy

6 of 6 controls implemented.

  • COPPA consent tracking — Parental consent for under-13, AI/photo opt-out
  • GDPR right to erasure — Data export + deletion request with 30-day waiting period
  • Data retention automation — Auto-delete read notifications (90d), XP transactions (2yr), AI summaries (1yr)
  • Privacy policy — Comprehensive 499-line policy covering 11 jurisdictions
  • Data Processing Agreement — 790-line DPA with FERPA school official designation
  • No data selling — No advertising, no data brokers, no profiling for marketing

Certification roadmap

  • SOC 2 Type I audit engagement — target Q3 2026
  • Formal penetration test — target Q3 2026
  • SOC 2 Type I report — target Q4 2026
  • SOC 2 Type II monitoring period begins — target Q4 2026
  • SOC 2 Type II report — target Q2 2027
  • ISO 27001 assessment — target 2027

Requesting our SOC 2 report

Customers under NDA can request our SOC 2 Type II report (when issued) by emailing trust@school-core.com. This page documents our controls alignment with SOC 2 Trust Service Criteria; for formal compliance inquiries contact security@school-core.com.

See also: Security Policy · Incident Response · Sub-Processors.

Last updated: June 2026 · v1.0 — June 2026