Trust & security

Institutional users authenticate through your own identity provider. Email/OTP remains for direct consumers.

For institution records, identity comes from the verified SSO assertion — never a user-typed email.

Advisors see a student's record only after the student approves the link; access is scoped to consented students.

Student / advisor / department / org-admin roles and a provisioning console for institution administrators.

Every institution record is bound to an organization id and isolated by Postgres row-level-security policies — enforced in the database, not just application code.

Each record is stamped consumer vs institution, and with how the user authenticated, so institutional data is unambiguous.

Access and changes to institution records (e.g. an advisor opening a student record) are recorded per tenant.

Surfacing the audit trail to institution administrators (the 'who accessed what' view).

Atomic deletion of an individual's data across all tables on request.

Per-tenant retention windows and AI usage caps are configurable at the organization level.

Institution-facing workflows for data export and record correction.

Row-level security is enabled deny-by-default on all tables; privileged access is server-side only.

Per-IP and per-account rate limits, plus a global AI spend circuit-breaker with admin alerting.

CI blocks high/critical dependency advisories; runtime errors are tracked and alerted.

An independent penetration test ahead of broad institutional rollout.

Skip links, focus states, semantic landmarks, reduced-motion, and non-color indicators are in place; continuous automated testing and a VPAT are being finalized.