Skip to main content

Security overview

This article summarizes security controls in the hosted SpeechGradebook product. It applies to IT security, privacy, and procurement reviewers evaluating the platform before adoption.

This is a technical overview, not legal advice. Pair it with your institution's FERPA review and counsel.

Architecture at a glance

flowchart TB
subgraph client [Browser]
UI[SpeechGradebook UI]
end
subgraph app [Application tier]
API[FastAPI on Render]
Proxy["/qwen-api/* model proxy"]
end
subgraph data [Data tier]
Auth[Supabase Auth]
PG[(PostgreSQL + RLS)]
Store[Supabase Storage]
end
subgraph ai [Evaluation tier]
Model[SpeechGradebook Model on Modal]
end

UI -->|HTTPS| API
API --> Auth
API --> PG
API --> Store
API --> Proxy
Proxy -->|TLS| Model

Student education records live in Supabase. The application tier enforces business rules; the database enforces row-level security even if application code regresses.

Authentication

ControlImplementation
Identity providerSupabase Auth (email/password; institution SSO may be evaluated per contract)
TransportHTTPS only for sign-in and API traffic
Session tokensIssued by Supabase; validated on protected API routes
Multi-factor authenticationSupported through Supabase Auth where enabled for your project
Account approvalNew users may require admin approval before full access (see Manage users and approvals)

Instructors and admins sign in at speechgradebook.com. Demo or local-only modes do not persist cloud records until a full account is used.

Authorization and data isolation

SpeechGradebook uses defense in depth: role-gated UI plus PostgreSQL row-level security (RLS) in Supabase.

RoleTypical access boundary
InstructorOwn courses, rosters, rubrics, and evaluations
AdminUsers and data within their institution or department per policy
Super AdminPlatform-wide administration (ValidBound operations)

RLS policies key off authenticated user identity (auth.uid()), profile flags (is_admin, is_super_admin), and institution membership. An instructor cannot query another instructor's evaluations at the database layer even with a crafted API request.

See Roles and data access and Role permissions.

Student consent is required before evaluation media and results are stored in Supabase Storage and used beyond local grading. Without consent, data may remain in browser local storage only. See Consent and data storage.

Encryption

LayerControl
In transitTLS 1.2+ for browser ↔ app, app ↔ Supabase, and app ↔ model service
At restSupabase PostgreSQL and Storage encrypt data at rest per platform defaults
Media uploadSigned URLs and authenticated storage paths for speech recordings (when consent allows)
SecretsAPI keys and service credentials stored in environment variables on Render, not in client-side code for production model routing

The production hosted path uses the SpeechGradebook Model via the backend proxy at /qwen-api/*. Instructors do not send student media directly to consumer LLM APIs in the default configuration.

Audit logging

Access to student evaluation data is recorded for compliance review.

FieldRecorded
WhoUser ID, role, institution
WhatResource type, resource ID, student/course context where applicable
WhenTimestamp (UTC)
HowAction (view, create, update, delete, export, download)
ContextIP address, user agent, session identifier

Admins verify logging under SettingsAdminCompliance. See FERPA and student records.

Application security practices

PracticeDetail
Backend proxy for AIModel credentials stay server-side; the browser calls /qwen-api/* on the app host
Background jobsLong-running evaluations use a worker that calls the GPU service directly with configured secrets (not the public app URL)
Error reportingUser-submitted error reports may include context for support; admins review under SettingsGeneralError Reports
Public documentationdocs.speechgradebook.com hosts user documentation only — no student education records

Data retention and deletion

Default retention follows institution agreement and FERPA-oriented policy. Admins can recover soft-deleted data within configured windows. See Data handling and retention and Recover deleted data.

Subprocessors

Third-party infrastructure (Supabase, Render, Modal, and others) is listed in Subprocessors and data locations.

Security review checklist

Use this list when completing a vendor questionnaire:

  1. Confirm authentication method meets institution policy (Supabase Auth / MFA)
  2. Review RLS and role model against your data classification
  3. Review consent workflow for cloud storage of speech media
  4. Confirm audit log fields meet your FERPA logging requirements
  5. Review subprocessor list and data residency
  6. Request institution-specific DPA or security addendum if required

Reporting security concerns

For security incidents, vulnerabilities, and institution notification, see Incident response and contact.

For product errors that are not security-related, use Report an error or the contact form.