Skip to main content
Home

Security & Privacy

Built on the same infrastructure your school's IT department would approve.

Students share sensitive information with AdmitPath: GPAs, test scores, family income for net-price estimates, draft essays. We treat that data with the same operational standards a SOC 2-audited enterprise SaaS uses. Here's the full posture, broken out by topic.

Hosting infrastructure

AdmitPath runs on Vercel (compute + edge) with Neon (Postgres). Both are SOC 2 Type II compliant. Application servers are stateless; user data lives only in the encrypted Postgres database. No long-running servers we'd need to patch in-place — every deploy is an immutable rebuild.

  • Vercel — SOC 2 Type II, ISO 27001
  • Neon — SOC 2 Type II, GDPR Article 28 DPA available
  • Edge functions for low-latency, no co-located persistent state
  • Immutable deploys — no SSH access to running infrastructure

Encryption

All data is encrypted both at rest (AES-256, managed by Neon) and in transit (TLS 1.3 enforced via HSTS preload + upgrade-insecure-requests CSP directive). The HSTS max-age is 2 years and the domain is preload-listed.

  • AES-256 at rest (Neon-managed encryption keys)
  • TLS 1.3 in transit, no fallback to TLS 1.0/1.1
  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • All HTTP requests upgrade to HTTPS via CSP upgrade-insecure-requests

Payment security

Payments are processed by Stripe. Card numbers never touch AdmitPath servers — Stripe Elements posts directly to Stripe's tokenization endpoint. Stripe is PCI-DSS Level 1 (the highest classification). We store only a customer ID and a subscription ID.

  • Stripe Elements (PCI scope outsourced)
  • Webhook signature verification on every Stripe event
  • Idempotency keys on every webhook write to prevent duplicate processing
  • Customer Portal for self-serve plan changes — no support agent ever sees your card

Authentication

Authentication is handled by Clerk (SOC 2 Type II, ISO 27001). Sessions use rotating refresh tokens with short access-token TTL. MFA available via TOTP. Password policy: 12-character minimum, breached-password screening via the Have I Been Pwned API.

  • Clerk — SOC 2 Type II, ISO 27001
  • MFA via TOTP (Google Authenticator, Authy, 1Password, etc.)
  • Breached-password screening at signup
  • Rotating refresh tokens, short access-token TTL
  • Optional: SSO via Google, Apple, GitHub at signup

Data isolation

Every database query is scoped to the authenticated user via Clerk session. Soft-delete (deletedAt timestamp) on all user tables ensures account-deletion requests cascade across User, Profile, Essay, CollegeList, Subscription, and Analysis in a single Postgres transaction. No application code has cross-tenant query paths.

  • Clerk-scoped queries — no global SELECT * surfaces
  • Soft-delete cascade across 7 tables in one $transaction
  • Tombstoned-account check (`requireUser`) prevents resurrection
  • Stripe customer/subscription IDs are stripped from data exports

Privacy & GDPR

AdmitPath supports the full set of GDPR data subject rights via in-product endpoints. No support ticket required: download your data or delete your account from the Settings page in one click each. PII in logs is automatically redacted.

  • Article 17 (Right to erasure) — /api/account/delete with cascade
  • Article 20 (Right to portability) — /api/account/export returns JSON
  • Article 15 (Right of access) — same /api/account/export endpoint
  • PII redaction in error logs (lib/log-error.ts redactPII)
  • CAN-SPAM-compliant unsubscribe via /api/unsubscribe (1-click)

Security headers

Every response from AdmitPath ships with a defense-in-depth header stack. Includes Content-Security-Policy with allow-listed origins, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locking down camera/mic/geolocation/interest-cohort.

  • Content-Security-Policy with explicit script-src / style-src / connect-src / frame-src allow-lists
  • X-Frame-Options: DENY (matches CSP frame-ancestors 'none' for legacy browsers)
  • X-Content-Type-Options: nosniff (no MIME-sniffing attacks)
  • Referrer-Policy: strict-origin-when-cross-origin (no leaking referer to third parties)
  • Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
  • X-Robots-Tag: noindex, nofollow on all /api/* routes (defense in depth alongside meta robots)

Secrets & key management

All API keys (Stripe, Clerk, Resend, Groq, Cerebras, Anthropic) are stored as environment variables, never committed to source. Production keys are scoped to Vercel's encrypted environment-variable system. Quarterly rotation for sensitive keys.

  • Zero hardcoded secrets — verified by repo grep + automated audit
  • .env.example documents required env vars without values
  • Production keys scoped to Vercel encrypted env-var system
  • Quarterly rotation cadence for Stripe + Resend + LLM provider keys
  • Incident-response playbook for any key compromise

Incident response

Security incidents are triaged within 24 hours, with affected users notified within 72 hours per GDPR Article 33. Compromised credentials trigger forced password reset + session revocation + key rotation. Quarterly internal security review documents any anomalies.

  • 24-hour triage SLA for security reports
  • 72-hour user notification per GDPR Article 33
  • Quarterly internal security review
  • Bug-bounty contact: maestro.committee@gmail.com
  • Responsible-disclosure policy: report → 90-day fix window before public disclosure

Report a vulnerability

Email maestro.committee@gmail.com with details. We acknowledge within 24 hours and remediate critical findings within 7 days.

Responsible-disclosure policy: 90-day fix window before public disclosure.

Ready to score your profile?

Built on infrastructure that meets enterprise security standards. Your data is encrypted, isolated, and deletable in one click.

Score my profile