Trust Center
Security, privacy & compliance
Last updated: 2026-06-24
Eduspera is built so organisations can trust it with their learners’ data. This page summarises how we protect that data, who our sub-processors are, and the documents available for vendor assessment and procurement.
Data residency
Primary data — accounts, courses, progress and uploads — is stored in the European Union (Frankfurt, Germany). Where a sub-processor operates outside the EU/EEA, transfers are covered by a Data Processing Agreement and EU Standard Contractual Clauses (SCCs). See the sub-processors list below.
Security measures
| Area | Control |
|---|---|
| Encryption | TLS 1.2+ in transit everywhere; data encrypted at rest at the database and storage layer. |
| Tenant isolation | PostgreSQL Row Level Security on every table isolates each school’s data; cross-tenant access is only possible through audited, service-role admin paths. |
| Authentication | Hashed credentials, optional Google SSO, and email-based 2FA with 30-day device trust on the admin/creator zone. |
| Least privilege | The public client is read-only; all mutations go through server-side handlers with input validation. Service-role keys never reach the browser. |
| File access | Private uploads (e.g. submissions) are served via short-lived signed URLs, not public links. |
| Hardening | Rate limiting on authentication endpoints, secret management outside the codebase, and bot/abuse protection at the edge. |
Sub-processors
We use a small set of vetted providers to deliver the service. We update this list before adding or replacing a sub-processor that handles personal data.
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU — Frankfurt, Germany | EU hosting; DPA |
| Bunny.net (Bunny Stream) | Video hosting, captions delivery, CDN | EU + global edge | DPA; SCCs |
| Cloudflare | DNS, CDN, TLS, WAF / bot protection | Global edge | DPA; SCCs |
| Emailit | Transactional & academy email delivery | EU | DPA |
| Stripe | Payments and billing | EU / US | DPA; SCCs; PCI-DSS |
| OpenAI | Speech-to-text (automatic captions) | US | DPA; SCCs; no training on our data |
| Optional sign-in (OAuth) and, with consent, Analytics | US | DPA; SCCs; consent-gated | |
| Hosting (self-managed, Coolify) | Application runtime | EU | EU data centre |
Data processing agreement (DPA)
A GDPR Article 28 Data Processing Agreement, including the sub-processor list and EU Standard Contractual Clauses, is available for signature on request. Email [email protected]. The data controller and contracting entity is Design Excellent Group SL (NIF B02759603), Calle Blanquerna 53, 07003 Palma de Mallorca, Spain.
Backups & resilience
- Continuous database backups with point-in-time recovery.
- Recovery objectives: RPO ≤ 24h, RTO ≤ 8h for a major incident (targets, kept under review as we formalise our SLA).
- Infrastructure is reproducible from version control and deploys through an automated pipeline.
Incident response
We maintain an incident-response process. In the event of a personal-data breach, we will notify affected controllers/customers without undue delay and, where required, within 72 hours of becoming aware, in line with GDPR Article 33.
Responsible disclosure
If you believe you have found a security vulnerability, please report it to [email protected]. We will acknowledge your report, keep you updated, and we will not pursue or support legal action against good-faith research that respects user privacy and avoids service disruption.
Compliance & accessibility
- GDPR — EU data residency, DPA available, data-subject rights honoured (see Privacy Policy).
- Accessibility — WCAG 2.2 Level AA as a product requirement; see our Accessibility Conformance Report (VPAT/ACR).
- SOC 2 — on our roadmap; a formal programme will be initiated to support enterprise customers. We are happy to complete security questionnaires (e.g. CAIQ-Lite) in the meantime.
Contact
Security, privacy and data requests: [email protected]