Security

1. Our Commitment to Security

At Pathren, security is fundamental to everything we build. We understand that educational institutions trust us with sensitive student data, and we take that responsibility seriously.

Security-First Design

Security is not an afterthought—it's built into our architecture from the ground up:

• Single-tenant architecture: Each institution receives its own dedicated infrastructure, providing physical isolation of data
• Defense in depth: Multiple layers of security controls protect data at every level
• Principle of least privilege: Users and systems have only the minimum access necessary
• Privacy by design: Data minimization and protection are core design principles

2. Infrastructure Security

2.1 Hosting Providers

Pathren is hosted on industry-leading cloud infrastructure:

2.2 Data Location

All data is stored and processed in the United States:

• Primary database: US-based Supabase infrastructure (AWS)
• Application servers: US-based Railway infrastructure
• AI processing: US-based endpoints with Zero Data Retention

2.3 Encryption

3. Application Security

3.1 Authentication

• Supabase Auth: Industry-standard authentication with secure session management
• SSO/SAML: Integration with institutional identity providers
• LTI 1.3: Secure learning tool interoperability with LMS platforms
• CAS: Central Authentication Service support for higher education
• Session security: Secure, HTTP-only cookies with automatic refresh

3.2 Authorization

• Role-based access control: Granular permissions for students, faculty, and administrators
• Row-Level Security (RLS): Database-enforced access controls as defense in depth
• Session-scoped queries: All data access is scoped to the authenticated user

3.3 Input Validation

• Server-side validation: All inputs validated with Zod schemas
• XSS prevention: Content Security Policy and output encoding
• SQL injection prevention: Parameterized queries via Drizzle ORM
• Rate limiting: Protection against brute force and abuse

4. Data Protection

4.1 Single-Tenant Isolation

Each institution receives its own dedicated Pathren deployment:

• Separate database: Institution data is physically isolated, not just logically separated
• Separate application instance: Dedicated infrastructure per institution
• No data commingling: Cross-institution data access is architecturally impossible

4.2 Audit Logging

Comprehensive audit trails for security and compliance:

• All administrative actions are logged
• Source IP addresses captured for security monitoring
• Append-only audit logs prevent tampering
• 7-year retention for compliance requirements

4.3 Backup & Recovery

• Automated daily backups with point-in-time recovery
• Encrypted backup storage
• 30-day backup retention
• Tested disaster recovery procedures

5. AI Security

5.1 Zero Data Retention

All AI processing uses providers configured with Zero Data Retention (ZDR):

• Prompts and responses are not stored by AI providers
• Data is not used for AI model training
• Requests are submitted anonymously where supported

5.2 Server-Side Processing

All AI interactions are processed server-side:

• No direct client-to-AI communication
• API keys never exposed to browsers
• Full control over what data reaches AI providers

5.3 AI Guardrails

• Prompt engineering limits scope to educational content
• Input validation prevents injection attacks
• Rate limiting prevents abuse
• Content filtering for inappropriate requests

6. Compliance

6.1 FERPA

Pathren is designed for FERPA compliance:

• Operates as a "school official" under the FERPA school official exception
• Processes student education records on behalf of institutions
• Single-tenant architecture ensures data isolation
• Audit logging supports institutional compliance requirements

6.2 HECVAT

Pathren has completed the Higher Education Community Vendor Assessment Toolkit (HECVAT) assessment. Institutions can request the full HECVAT response for their security review.

6.3 SOC 2

SOC 2 Type II certification is on our roadmap. Our infrastructure providers (Supabase, Railway) maintain their own SOC 2 certifications.

6.4 Accessibility

Pathren is committed to accessibility:

• Target: WCAG 2.1 AA conformance
• Keyboard navigation support
• Screen reader compatibility
• VPAT documentation available upon request

7. Vulnerability Reporting

We appreciate the security research community's efforts to help keep Pathren secure.

7.1 How to Report

If you discover a security vulnerability, please report it to:

Email: security@pathren.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

7.2 Response Timeline

7.3 Safe Harbor

We will not take legal action against researchers who:

• Make good faith efforts to avoid privacy violations and data destruction
• Only interact with accounts they own or have permission to test
• Do not exploit vulnerabilities beyond demonstration
• Report findings promptly and allow reasonable time for remediation

8. Security Documentation

We provide detailed security documentation to help institutions evaluate Pathren:

Available Upon Request

• HECVAT Assessment: HECVAT Lite responses (Full available upon request)
• Data Retention Policy: Complete retention periods, disposal procedures, and legal hold processes
• AI Use Policy: AI provider configuration, data handling, guardrails, and safety measures
• Technical Security Documentation: Architecture overview, RLS configuration, and security controls
• Audit Log Documentation: Logging capabilities, retention, and access procedures

Coming Soon

• VPAT: Voluntary Product Accessibility Template (WCAG 2.1 AA)
• SOC 2 Type II: On roadmap; infrastructure providers maintain certifications

To request documentation, contact security@pathren.com.

9. Contact

For security-related inquiries, contact us.