Overview
ThinkingEngine uses administrative, technical, and organizational safeguards to protect teacher accounts, student dialogue data, and session transcripts. Some safeguards are implemented directly; others are provided by our infrastructure vendors. No formal security certifications (SOC 2, ISO 27001, etc.) are claimed.
Current Security Controls
The following controls are currently implemented:
| Control | Description |
|---|---|
| Teacher authentication | Secure login with email and password for teacher accounts. No student passwords for standard classroom use. |
| Two-factor authentication (optional) | Optional TOTP-based 2FA available for teacher accounts. Admin panel access requires TOTP for superuser roles. |
| Limited superuser access | Administrative access is restricted to a verified email whitelist. No broad administrative accounts. |
| Vendor-supported hosting | Application is hosted by Polsia on Render, a SOC 2-compliant cloud platform. Database is provided by Neon (PostgreSQL). |
| No student payment data | ThinkingEngine does not collect or store student payment information. Teacher billing is processed by Stripe independently. |
| No student passwords | Students access sessions via teacher-generated codes. No student account creation or password management required. |
For district agreement review: Before entering a district agreement, the following items should be confirmed directly with ThinkingEngine:
- Encryption at rest for all stored student dialogue transcripts
- Audit logging for administrative access and data export events
- Penetration testing results (if available or scheduled)
- Backup encryption and retention policies
Contact privacy@thinkingengine.org to request documentation on any of the above items.
Responsible Disclosure
If you discover a security vulnerability, please contact us at security@thinkingengine.org. We ask that you:
- Report the issue promptly, giving us reasonable time to address it before public disclosure
- Provide sufficient detail to allow us to reproduce and verify the issue
- Avoid accessing or modifying data beyond what is necessary to demonstrate the vulnerability