Trust · security

Security overview

Last updated: 2026-05-31. What we do to keep your child's account and learning data safe, in plain English.

The short version

Sign-in is handled by Clerk (passwords hashed with bcrypt, optional MFA, automatic credential-stuffing protection).
All traffic is HTTPS — strict transport security, modern TLS, HSTS preloaded.
Data at rest is encrypted by our hosting providers (Supabase, Vercel).
The AI Coach can never give the final answer — that's enforced in code (the Charter), not just in prompts.
We follow OWASP Top 10 guidance and run automated dependency scans on every push.

Authentication

Accounts are managed by Clerk, an enterprise-grade authentication service used by thousands of companies. They handle:

Password hashing with bcrypt + per-user salts.
Optional multi-factor authentication (TOTP / passkeys / SMS). We recommend turning MFA on; you can do that from your Clerk account menu in the dashboard.
Automatic detection and blocking of credential-stuffing / brute-force attempts.
Session management with HTTP-only secure cookies, rotated on every privilege change.

We never see your password. If you ever forget it, Clerk handles the reset flow; we have no way to recover it.

Transport security

All traffic to vidya.cosmos369.ai uses HTTPS via Cloudflare (TLS 1.3 + modern cipher suites).
Strict-Transport-Security (HSTS) is set to 1 year + includeSubDomains + preload. Browsers refuse to talk to us over plain HTTP.
A strict Content Security Policy blocks injection of foreign scripts (only Clerk + Cloudflare Turnstile + Supabase origins are whitelisted for the corresponding resource types).
Bot mitigation at the Cloudflare edge — Bot Fight Mode + a targeted block on the worst-behaved AI scrapers (Bytespider, CCBot). Polite AI agents (GPTBot, ClaudeBot, PerplexityBot) are allowed on public marketing pages and blocked on auth + dashboard surfaces.

Hosting + data layer

The web tier runs on Vercel (Frankfurt region + US edge for low latency in India, Europe, and North America).
The database is hosted by Supabase in the United States by default. Data at rest is encrypted with AES-256. We can move you to an EU region on request.
Row-Level Security (RLS) policies ensure one parent's data is isolated from another's at the database level — defense in depth, not just at the application layer.

The Charter — the AI security promise

The Vidya Coach is built so it physically cannot give your child the final answer to a problem. This is enforced at three layers:

The trinity backend (Assessor + Curriculum-Architect + Practice-Partner) has a deterministic veto rule: any output that contains a final answer triggers an automatic rewrite.
The narrator (the layer that produces the actual text shown to your child) has a hard-coded refusal for grades, peer comparisons, auto-enrolment, and final answers.
The chat surface shows a "Charter-bound" badge and rejects any answer-attempt with an honest "degraded" notice if any of the above fails.

Removing or bypassing these rules is not configurable — it would require shipping new code.

Children's data — COPPA + FERPA

For learners under 13 we require verifiable parental consent at account creation, store the consent record with timestamp and IP, and never send marketing email to a child account. Full details are in the Privacy policy.

What we monitor

Application errors — captured via Sentry (PII-redacted before being sent).
Security-relevant events — sign-in attempts, privilege changes, payment events — kept in an audit log for 1 year.
Anomalous traffic — Cloudflare detects and challenges suspicious patterns (botnets, credential-stuffing, scraping bursts).
Dependency vulnerabilities — Dependabot scans every package upgrade. Critical CVEs are patched within 7 days.

If something goes wrong

If you find a security issue, please email security@cosmos369.ai — we read every message within one business day. We will not threaten or sue researchers reporting good-faith findings; responsible disclosure earns our gratitude (and, where applicable, a thank-you note).

If we ever discover a breach affecting your account, we will notify you by email within 72 hours and tell you what happened, what we are doing about it, and what you should do (including free password reset assistance via Clerk).

What we will not do

We will not sell your data. Ever.
We will not use your child's chat transcripts to train third-party AI models. Chat data stays on infrastructure we control.
We will not add tracking pixels or third-party analytics that send any personal data off-platform.
We will not silently lower our security posture to hit a launch date. Every shipping change passes our internal "Standing Six" checklist (security chain, no PII to logs, HITL gates, no secrets in code, cost ceilings, Persona Discipline).