Security Practices

Classwire, LLC is committed to protecting the privacy and security of all data entrusted to us, especially children's data in educational settings. This page describes the security measures we have in place.

• Hosting: Classwire is hosted on Railway, a modern cloud platform with SOC 2 compliant infrastructure
• Encryption in transit: All connections use HTTPS/TLS encryption
• Encryption at rest: Database storage is encrypted at rest
• Backups: Automated database backups with point-in-time recovery
• Environment isolation: Production, staging, and development environments are fully separated

• Role-based access: Users are assigned roles (admin, teacher, family) that control what data they can see and modify
• Authentication: Secure login via Google OAuth or email/password with hashed credentials
• Session management: Sessions expire after inactivity; sensitive actions require re-authentication
• Admin access: Platform administration is restricted to authorized Classwire, LLC personnel

• Passwords: Stored using industry-standard one-way hashing (never stored in plain text)
• API keys and secrets: Stored as environment variables, never in source code
• File uploads: Stored securely in Cloudflare R2 with access-controlled URLs
• Payment data: Credit card information is handled entirely by Stripe and never touches our servers

• CSRF protection: All forms are protected against cross-site request forgery
• Input validation: All user input is validated and sanitized
• SQL injection prevention: We use parameterized queries via SQLAlchemy ORM
• XSS prevention: Template output is auto-escaped by default
• Rate limiting: API and form endpoints are rate-limited to prevent abuse
• Content Security Policy: Restricts resource loading to prevent injection attacks

In the event of a security incident:

• Detection: We monitor for unusual activity and unauthorized access attempts
• Response: Incidents are investigated immediately upon detection
• Notification: Affected schools and individuals are notified within 60 days as required by Texas law
• Remediation: We take immediate steps to contain the incident and prevent recurrence
• Documentation: All incidents are documented and reviewed to improve our security posture

When data deletion is requested:

• Requests are processed within 30 days
• All associated records are permanently removed from our database
• Uploaded files are deleted from cloud storage
• Backups containing the data are purged within the normal backup rotation cycle
• Certification of deletion is provided upon request

Classwire uses the following third-party services that may process data:

• Railway — Application hosting and database (infrastructure)
• Stripe — Payment processing (payment data only)
• Cloudflare R2 — File storage (uploaded documents and images)
• Google OAuth — Authentication (email address for login)

All third-party services are selected for their security practices and are bound by their own data protection policies. We do not share data with any third party for marketing or advertising purposes.

For security questions or to report a vulnerability:

Classwire, LLC
Contact us via our support form