SOC 2 Trust Service Criteria
School-Core's security controls mapped to the AICPA SOC 2 framework. 30 of 30 controls implemented. Our security program is designed in alignment with the AICPA's Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, plus ISO/IEC 27001 and the NIST Cybersecurity Framework.
Security
10 of 10 controls implemented.
- Role-based access control (RBAC) — comprehensive role catalog with three-layer permission resolution and a custom-role mechanism for tenant-defined permission sets
- Multi-factor authentication (MFA) — TOTP + one-time backup codes; required for administrative roles
- Encryption at rest — AES-256 provider-managed, with additional application-level AES-256-GCM on sensitive fields (MFA secrets, OAuth refresh tokens)
- Encryption in transit — TLS 1.2+ enforced, HSTS in force
- Rate limiting — applied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed store
- XSS prevention — server-side HTML sanitization on user-generated content; restrictive Content Security Policy headers
- SQL injection prevention — parameterized queries via ORM
- Session management — encrypted, server-issued, periodically rotated tokens; HttpOnly cookies; per-device revocation
- Password security — irreversible bcrypt at industry-recommended cost; tenant-configurable complexity policy
- Security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy applied on every response
Availability
5 of 5 controls implemented.
- Cloud infrastructure — Vercel (SOC 2) + Supabase (SOC 2) + Cloudflare R2 (SOC 2)
- Automated database backups — Point-in-time recovery via Supabase
- Error monitoring — Sentry real-time alerting
- Edge delivery — Vercel global CDN for low-latency access
- Incident response plan — Documented 6-phase plan with 72-hour notification
Confidentiality
5 of 5 controls implemented.
- Multi-tenant data isolation — 8,000+ tenantId references in queries, CASCADE deletes, no cross-tenant access
- Audit logging — Login (success+failure), logout, OAuth link/unlink, user CRUD, file/folder mutations, billing events, Stripe webhooks, HR records — all logged with IP, user agent, oldValues/newValues diff. Typed AuditAction catalog (95+ entries) prevents string drift
- Principle of least privilege — Users access only data required for their role
- Data classification — Student PII, health records, and financial data identified and protected
- Sub-processor management — DPAs with all 8 vendors, public registry maintained
Processing Integrity
4 of 4 controls implemented.
- Input validation — Zod schemas on all API inputs (34 validator modules)
- Data integrity checks — Prisma foreign key constraints, unique constraints
- Automated testing — Type checking on all files
- Change management — Git-based version control, PR reviews, CI/CD pipeline
Privacy
6 of 6 controls implemented.
- COPPA consent tracking — Parental consent for under-13, AI/photo opt-out
- GDPR right to erasure — Data export + deletion request with 30-day waiting period
- Data retention automation — Auto-delete read notifications (90d), XP transactions (2yr), AI summaries (1yr)
- Privacy policy — Comprehensive 499-line policy covering 11 jurisdictions
- Data Processing Agreement — 790-line DPA with FERPA school official designation
- No data selling — No advertising, no data brokers, no profiling for marketing
Certification roadmap
- SOC 2 Type I audit engagement — target Q3 2026
- Formal penetration test — target Q3 2026
- SOC 2 Type I report — target Q4 2026
- SOC 2 Type II monitoring period begins — target Q4 2026
- SOC 2 Type II report — target Q2 2027
- ISO 27001 assessment — target 2027
Requesting our SOC 2 report
Customers under NDA can request our SOC 2 Type II report (when issued) by emailing trust@school-core.com. This page documents our controls alignment with SOC 2 Trust Service Criteria; for formal compliance inquiries contact security@school-core.com.
See also: Security Policy · Incident Response · Sub-Processors.
Last updated: June 2026 · v1.0 — June 2026