Back

Security Overview

Security at Retensiq

This page summarizes the controls and practices Retensiq uses to protect educator accounts, student information, and platform operations. It is designed for educators, district teams, and procurement reviewers who need clear, practical security information.

1. Identity and Account Protection

Retensiq applies layered account protections to reduce unauthorized access risk for educator and administrator accounts.

  • Secure password hashing for email/password authentication
  • Google OAuth sign-in support
  • Email verification before full account access
  • Multi-factor authentication using TOTP
  • Single-use MFA recovery codes
  • Role-based access controls for educators, administrators, and districts
  • Secure session cookies and session invalidation after password changes
  • Targeted rate limiting on authentication endpoints

2. Application Protection

Assessment workflows are protected with controls that help prevent misuse and preserve educator-directed decisions.

  • File upload restrictions with supported format allowlists and size limits
  • Validation of assessment session token states (invalid, expired, or completed)
  • Controlled retake workflows managed by educators
  • Audit logging for authentication and other security-sensitive events
  • Automated tests that cover common abuse paths, including unauthorized access attempts

3. Data Stewardship and Privacy

Retensiq follows a minimal-data approach and privacy-conscious architecture to limit exposure of student information.

  • Sensitive authentication artifacts protected with encryption and hashing at rest
  • Student participation workflows that do not require full student accounts
  • Privacy-aware document ingestion pipeline with redaction stages
  • Data Processing Agreement acceptance during onboarding
  • Educator-controlled student workflows with minimal data collection by design

4. Infrastructure Security

Retensiq infrastructure protections focus on secure hosting baselines, visibility, and controlled administrative access.

  • AWS-hosted infrastructure
  • Infrastructure logging and monitoring for security-relevant events
  • Web application firewall protections at the edge
  • Encrypted storage volumes
  • Hardened instance configurations and restricted administrative access

5. Continuous Security Verification

Security checks are built into the development lifecycle so potential issues can be surfaced and addressed early.

  • Dependency vulnerability scanning during pull requests
  • Static security analysis in development workflows
  • Secret detection scanning in source repositories
  • Automated vulnerability scanning integrated into CI/CD pipelines for dependencies and infrastructure code
  • Cloud infrastructure posture assessments performed against AWS security best practices
  • Scheduled automated application security scanning to detect common web vulnerabilities
  • Security scan results reviewed as part of the platform security governance process
  • Defined security review cadence as part of development operations

Related Resources

Security is an ongoing process. Retensiq continuously improves platform protections as part of our secure development lifecycle.