• TLS 1.2+ encryption in transit with HSTS enforcement.
• AES-256 encryption at rest through AWS infrastructure.
• Passwords hashed with bcrypt (industry-standard adaptive hashing).
• Database connections encrypted in transit.

• Hosted on Heroku (AWS us-east-1 region).
• All data stored in United States data centers.
• No data transferred outside the US.

• CSRF protection on all forms (Flask-WTF).
• Rate limiting on authentication and API endpoints.
• Secure cookies: HttpOnly, SameSite=Lax, Secure flag.
• Content Security Policy headers.
• Security headers: HSTS, X-Content-Type-Options, X-Frame-Options.
• Input validation and output encoding.

• Four distinct user roles with strict separation: Intern, Employer, Admin, and Coordinator.
• Session management via Flask-Login.
• Email verification required for all accounts.
• Role-based route protection on all endpoints.

• Content moderation: All student inputs are screened by OpenAI's Moderation API before processing.
• Restrictive system prompts constrain AI behavior.
• Per-user daily rate limits on AI features.
• Student data is anonymized before AI processing (PII stripped from skill analysis).
• Zero-data-retention configuration with AI providers.

Code2College leverages certified infrastructure providers. Application-level organizational certification is under evaluation.

• Immutable audit logs tracking data access and administrative actions.
• FERPA consent management framework.
• Data export capabilities for student data portability.
• Minor detection and protection mechanisms.

For security inquiries, please contact us at zachary@code2college.org.