The platform is designed with security, data integrity, and access control as core requirements. The following describes how student data, course content, and documents are protected.
User Authentication
- Student accounts are secured with email and password authentication
- Sessions are managed via Laravel Sanctum using secure, server-side tokens
- Session validity is checked at regular intervals during active use
- Expired or invalid sessions redirect the student to the login page automatically
Video Content Security
All video content is private and is never publicly accessible.
- Videos are stored in a private AWS S3 bucket
- Playback is delivered via AWS CloudFront using signed URLs
- Signed URLs are time-limited and generated per request — each URL expires after a set period
- If a URL expires mid-session, a new signed URL is generated transparently
- HLS (HTTP Live Streaming) is used for adaptive video delivery
Students cannot share video links with others; every URL is tied to a specific authenticated request.
Document Storage
Course certificates and uploaded eligibility documents are stored in private S3 buckets:
- No document is ever publicly accessible by URL
- Downloads are served through CloudFront signed URLs, the same mechanism used for videos
- Certificates can be re-downloaded at any time by the authenticated student — each request generates a fresh secure link
Progress Data Integrity
- All student progress is stored server-side
- Clearing browser cache, cookies, or local storage does not affect saved progress
- Progress is saved automatically every 30 seconds during active learning
- A soft-delete policy is applied to all critical records — no student data is permanently deleted; it is archived for audit purposes
Eligibility Documents
- Students upload proof of age and a high school diploma during the eligibility step
- Documents are stored in the private S3 bucket and are accessible only to administrators
- Administrators validate documents manually before course content is unlocked
- The validation status is recorded and retained as part of the student’s course record
Payment Security
- All payments are processed through Stripe and WooCommerce
- The platform does not store credit card numbers or payment credentials
- Payment data flows directly between the student’s browser and the payment processor
AI Data Handling
- The AI study assistant is powered by OpenAI’s GPT-4 model
- Questions submitted to the assistant contain only the student’s question text and relevant topic context
- No personally identifiable information (PII) — such as student name, email, or date of birth — is included in AI prompts
- AI responses are not logged in any external system; they are stored in the platform’s own database for the student’s reference
Audit Trail
The platform maintains a complete audit trail for all key actions:
- Student enrollment and access events
- Eligibility document submissions and validations
- Quiz and exam submissions
- Certificate generation and downloads
- Subscription changes and order events
Records use soft deletes — data is never hard-deleted. This supports compliance review and dispute resolution.
