AssessKitAssessKit

Security & Trust

Enterprise-grade security for your research data

AssessKit is committed to protecting your psychology research data with enterprise-grade security. We implement comprehensive security measures across our infrastructure and application layers.

Data Encryption

  • AES-256 encryption for all data at rest (via Supabase)
  • TLS 1.3 for all data in transit (HTTPS-only)
  • Encrypted database backups
  • Password hashing with bcrypt (via Supabase Auth)

Authentication & Access Control

  • Email/password and OAuth authentication (via Supabase Auth)
  • Multi-factor authentication (MFA) available
  • Role-Based Access Control (RBAC) for team members
  • Row-Level Security (RLS) policies on all database tables
  • Session management with JWT tokens (HTTP-only cookies)
  • Organization-level access isolation

Infrastructure Security

  • Hosting: Vercel (SOC 2 Type II certified)
  • Database: Supabase (SOC 2 Type II certified, PostgreSQL on AWS)
  • Payments: Stripe (PCI DSS Level 1 certified)
  • Network rate limiting via Upstash Redis
  • Bot protection via Cloudflare Turnstile
  • Regular dependency updates and security patches

Application Security

  • Input validation using Zod schema validation
  • XSS and CSRF protection (Next.js built-in)
  • SQL injection prevention (parameterized queries, RLS)
  • TypeScript for type safety
  • Security headers and Content Security Policy

Multi-Tenant Data Isolation

  • Organization-level data separation
  • Row-Level Security enforces access boundaries
  • Researcher-controlled participant data access
  • Real-time collaboration with secure presence tracking
  • Experiment sharing with granular permissions

Monitoring & Logging

  • Error tracking and monitoring (Sentry integration)
  • Security event logging
  • Audit trails for sensitive operations
  • Automated alerts for anomalies

Backup & Disaster Recovery

  • Automated daily backups (via Supabase)
  • Point-in-time recovery capabilities
  • Geographic redundancy for data resilience
  • Regular restoration testing

Third-Party Security

We work with industry-leading service providers who maintain their own security certifications:

  • Vercel (Hosting) - SOC 2 Type II certified
  • Supabase (Database) - SOC 2 Type II certified
  • Stripe (Payments) - PCI DSS Level 1 certified
  • Resend (Email delivery)
  • OpenAI (AI features)
  • PartyKit (Real-time collaboration)

We maintain Data Processing Agreements (DPAs) with all data processors and conduct regular vendor security reviews.

Compliance

  • GDPR Compliant: EU data protection regulations
  • CCPA Compliant: California privacy regulations
  • OWASP Best Practices: Secure development standards
  • NIST Cybersecurity Framework: Security framework alignment

Note: We rely on our infrastructure providers' certifications (Vercel and Supabase SOC 2 Type II) rather than maintaining separate certifications.

Vulnerability Reporting

We appreciate security researchers who help us maintain platform security through responsible disclosure.

How to Report:

  • Email: stephen@assesskit.com
  • Subject: "Security Vulnerability Report"
  • Include: Detailed reproduction steps and impact assessment

Our Commitment:

  • 48-hour acknowledgment of your report
  • Regular updates on remediation progress
  • 90-day disclosure timeline before public disclosure
  • Credit for responsible disclosure (with your permission)

Guidelines:

  • Do not access or modify user data without explicit permission
  • Do not perform automated testing that could impact service availability
  • Do not disrupt service or harm user experience
  • Report vulnerabilities privately via email before public disclosure

Incident Response

  • Documented incident response procedures
  • 72-hour breach notification (GDPR requirement)
  • User notification for incidents affecting their data
  • Post-incident review and preventive measures

Security Best Practices for Researchers

We recommend these security practices to protect your research data:

  • Enable multi-factor authentication (MFA) on your account
  • Use strong, unique passwords
  • Review team member access regularly
  • Export critical data regularly as backups
  • De-identify participant data when possible
  • Follow your institution's security and data protection policies

Contact

Security Inquiries: stephen@assesskit.com

Vulnerability Reports: Use subject line "Security Vulnerability Report"

Response Time: We aim to respond within 48 hours for all security-related inquiries.