Security & Data Protection

Enterprise-grade security for educational institutions

SOC 2 Aligned FERPA Compliant AES-256 Encryption 24/7 Monitoring

Our Security Commitment

HeuriSight treats student data security as our highest priority. We implement enterprise-grade security measures that meet or exceed industry standards for educational technology platforms.

Hosting: HeuriSight is hosted on AWS US-East (Virginia), providing enterprise-grade infrastructure with data sovereignty in the United States.

Data Encryption

Encryption in Transit

TLS 1.3: All data transmitted between users and our servers is encrypted using the latest TLS protocol
HTTPS Only: We enforce HTTPS across all connections with HTTP Strict Transport Security (HSTS)
Certificate Pinning: Protects against man-in-the-middle attacks

Encryption at Rest

AES-256 Encryption: All student data stored in databases and file storage is encrypted using AES-256
Encrypted Backups: All backup copies are encrypted with separate keys
Key Management: Encryption keys are managed through AWS Key Management Service (KMS)

Infrastructure Security

Cloud Infrastructure

HeuriSight is hosted on enterprise-grade cloud infrastructure:

AWS (Amazon Web Services): SOC 2 Type II compliant cloud platform
Multi-Region Redundancy: Data backed up across multiple geographic regions
DDoS Protection: AWS Shield protects against distributed denial of service attacks
Web Application Firewall: Protects against common web exploits

Database Security

Neo4j AuraDB: Managed graph database with enterprise security
Pinecone: SOC 2 compliant vector database
Automated Backups: Daily automated backups with 30-day retention
Point-in-Time Recovery: Can restore data to any point in the last 30 days

Application Security

Authentication & Authorization

Auth0: Enterprise identity management platform
Multi-Factor Authentication (MFA): Available for all administrative users
Single Sign-On (SSO): Integration with institutional identity providers (SAML, OAuth)
Role-Based Access Control (RBAC): Granular permissions by user role
Session Management: Automatic logout after inactivity, secure session tokens

Application Code Security

Secure Development: Following OWASP Top 10 security guidelines
Code Reviews: All code changes reviewed for security vulnerabilities
Dependency Scanning: Automated scanning for known vulnerabilities in third-party libraries
Input Validation: All user inputs validated and sanitized
SQL Injection Prevention: Parameterized queries, ORM usage

Operational Security

Monitoring & Incident Response

24/7 Monitoring: Automated monitoring of system health and security events
Intrusion Detection: Real-time detection of suspicious activity
Incident Response Plan: Documented procedures for security incidents
Breach Notification: Institutions notified within 24 hours of any confirmed breach

Access Logging & Auditing

Comprehensive Audit Logs: All data access logged with user, timestamp, and action
Log Retention: Audit logs retained for minimum 1 year
Tamper-Proof Logging: Logs cannot be modified or deleted by users
Regular Audits: Quarterly reviews of access patterns

Data Isolation & Multi-Tenancy

Each institution's data is completely isolated:

Logical Separation: Institution data tagged and filtered at database level
No Cross-Institution Access: Students/faculty can only access data from their own institution
Separate Workspaces: Each institution operates in isolated environment

Compliance & Certifications

            Security Frameworks We Follow
            SOC 2 Type II: Framework-aligned today; formal certification planned for 2026
FERPA: Full compliance with Family Educational Rights and Privacy Act
NIST Cybersecurity Framework: Following National Institute of Standards guidelines
GDPR Principles: Privacy-by-design approach (for international students)

        

Vendor Security Assessments

All third-party vendors undergo security assessment:

SOC 2 Type II compliance required
Data processing agreements (DPAs) signed
Regular vendor security reviews
Annual re-certification requirements

Physical Security

All data is hosted in SOC 2 certified data centers with:

24/7 physical security and surveillance
Biometric access controls
Environmental controls (fire suppression, climate control)
Redundant power and network connectivity

Assessment Integrity & Limitations

What HeuriSight does to support integrity:

Socratic Probing: The AI probes reasoning in real time, asks follow-ups, and adapts to student responses — reducing the value of pre-generated answers
Evidence-Backed Scoring: Rubric-aligned scoring is backed by verbatim conversation quotes and traceable message IDs
Adaptive Re-anchoring: Follow-up questions test genuine understanding, not memorized responses
Practice vs Assessment Modes: Clear visual separation between practice and graded assessments
Attempt Controls: Configurable limits on summative assessment attempts

What HeuriSight cannot detect:

We believe in being transparent about the limitations of any technology-based assessment system:

Identity Verification: We do not verify identity beyond the HeuriSight login authentication. We cannot confirm who is physically using the account.
Off-Screen Assistance: We cannot detect if a student is receiving coaching from another person or using a second device/screen during an assessment.

Recommended mitigations:

Include clear integrity expectations in your course syllabus
Use assessment-only mode during graded windows to focus student attention
Faculty can review full conversation transcripts and override scores if needed
Grade appeals are supported by complete transcript records

Data Retention & Deletion

Active Data: Retained while institutional subscription is active
Post-Termination: 30-day grace period for data export
Secure Deletion: Data securely deleted within 90 days of contract end
Backup Purging: All backup copies deleted within 90 days
Verification: Certificate of deletion provided upon request

Service Availability & Support

Uptime Target: 99.5% availability
Support Response: We aim to respond to critical issues within 4 hours and general inquiries within 1-2 business days
Incident Communication: Status updates provided during any service disruption

Reporting Security Issues

If you discover a potential security vulnerability:

Questions About Our Security?

We're happy to discuss our security practices in detail, provide security documentation for your procurement process, or schedule a security review call with your IT team.

Contact: Submit a request