Concrete posture, not marketing claims. We are software for schools that serve children. The bar matters.
Every connection between an operator’s browser and CohortLedger is TLS-protected. We do not accept unencrypted connections to the dashboard or the API.
The production database is encrypted at rest with managed keys held by our hosting provider. Encrypted backups are stored in the same posture and rotated on a defined schedule.
Production runs in US-region infrastructure. We do not move personal information outside the United States as part of normal service operation.
Production access is limited to a small set of authorized Ravencord employees. Access is granted on a least-privilege basis and reviewed regularly. Sensitive administrative actions are logged.
Operator accounts use strong password requirements. Multi-factor authentication is supported for the operator account and recommended for all schools.
Encrypted backups run on a defined schedule. We maintain a disaster recovery procedure with a documented recovery point and recovery time target.
We patch known vulnerabilities in our dependencies on a routine cadence. We use automated dependency scanning. We will accept good-faith vulnerability disclosures from security researchers at security@cohortledger.com and respond within two business days.
We will notify schools in advance of adding any new subprocessor, consistent with the DPA.
If we confirm a security incident affecting personal information CohortLedger holds, we will notify the affected school without undue delay and within any timeline required by applicable US state law. We will provide the facts the school needs to notify the families they serve. See the DPA for the contractual breach notification commitment.
We welcome good-faith security research. Email security@cohortledger.com with a description of the issue, reproduction steps, and any relevant logs. We will acknowledge within two business days and keep you informed during remediation.
