Security overview
This article summarizes security controls in the hosted SpeechGradebook product. It applies to IT security, privacy, and procurement reviewers evaluating the platform before adoption.
This is a technical overview, not legal advice. Pair it with your institution's FERPA review and counsel.
Architecture at a glance
flowchart TB
subgraph client [Browser]
UI[SpeechGradebook UI]
end
subgraph app [Application tier]
API[FastAPI on Render]
Proxy["/qwen-api/* model proxy"]
end
subgraph data [Data tier]
Auth[Supabase Auth]
PG[(PostgreSQL + RLS)]
Store[Supabase Storage]
end
subgraph ai [Evaluation tier]
Model[SpeechGradebook Model on Modal]
end
UI -->|HTTPS| API
API --> Auth
API --> PG
API --> Store
API --> Proxy
Proxy -->|TLS| Model
Student education records live in Supabase. The application tier enforces business rules; the database enforces row-level security even if application code regresses.
Authentication
| Control | Implementation |
|---|---|
| Identity provider | Supabase Auth (email/password; institution SSO may be evaluated per contract) |
| Transport | HTTPS only for sign-in and API traffic |
| Session tokens | Issued by Supabase; validated on protected API routes |
| Multi-factor authentication | Supported through Supabase Auth where enabled for your project |
| Account approval | New users may require admin approval before full access (see Manage users and approvals) |
Instructors and admins sign in at speechgradebook.com. Demo or local-only modes do not persist cloud records until a full account is used.
Authorization and data isolation
SpeechGradebook uses defense in depth: role-gated UI plus PostgreSQL row-level security (RLS) in Supabase.
| Role | Typical access boundary |
|---|---|
| Instructor | Own courses, rosters, rubrics, and evaluations |
| Admin | Users and data within their institution or department per policy |
| Super Admin | Platform-wide administration (ValidBound operations) |
RLS policies key off authenticated user identity (auth.uid()), profile flags (is_admin, is_super_admin), and institution membership. An instructor cannot query another instructor's evaluations at the database layer even with a crafted API request.
See Roles and data access and Role permissions.
Consent gate for cloud storage
Student consent is required before evaluation media and results are stored in Supabase Storage and used beyond local grading. Without consent, data may remain in browser local storage only. See Consent and data storage.
Encryption
| Layer | Control |
|---|---|
| In transit | TLS 1.2+ for browser ↔ app, app ↔ Supabase, and app ↔ model service |
| At rest | Supabase PostgreSQL and Storage encrypt data at rest per platform defaults |
| Media upload | Signed URLs and authenticated storage paths for speech recordings (when consent allows) |
| Secrets | API keys and service credentials stored in environment variables on Render, not in client-side code for production model routing |
The production hosted path uses the SpeechGradebook Model via the backend proxy at /qwen-api/*. Instructors do not send student media directly to consumer LLM APIs in the default configuration.
Audit logging
Access to student evaluation data is recorded for compliance review.
| Field | Recorded |
|---|---|
| Who | User ID, role, institution |
| What | Resource type, resource ID, student/course context where applicable |
| When | Timestamp (UTC) |
| How | Action (view, create, update, delete, export, download) |
| Context | IP address, user agent, session identifier |
Admins verify logging under Settings → Admin → Compliance. See FERPA and student records.
Application security practices
| Practice | Detail |
|---|---|
| Backend proxy for AI | Model credentials stay server-side; the browser calls /qwen-api/* on the app host |
| Background jobs | Long-running evaluations use a worker that calls the GPU service directly with configured secrets (not the public app URL) |
| Error reporting | User-submitted error reports may include context for support; admins review under Settings → General → Error Reports |
| Public documentation | docs.speechgradebook.com hosts user documentation only — no student education records |
Data retention and deletion
Default retention follows institution agreement and FERPA-oriented policy. Admins can recover soft-deleted data within configured windows. See Data handling and retention and Recover deleted data.
Subprocessors
Third-party infrastructure (Supabase, Render, Modal, and others) is listed in Subprocessors and data locations.
Security review checklist
Use this list when completing a vendor questionnaire:
- Confirm authentication method meets institution policy (Supabase Auth / MFA)
- Review RLS and role model against your data classification
- Review consent workflow for cloud storage of speech media
- Confirm audit log fields meet your FERPA logging requirements
- Review subprocessor list and data residency
- Request institution-specific DPA or security addendum if required
Reporting security concerns
For security incidents, vulnerabilities, and institution notification, see Incident response and contact.
For product errors that are not security-related, use Report an error or the contact form.