Security & Trust

For school IT, parents and security researchers. Last reviewed: 1 May 2026.

Edapt is built for school-age learners, so security and child-safety posture aren't optional. This page summarises the controls in plain English so a school IT team can verify Edapt in five minutes.

Reach us fast

Security: security@edaptlearn.com

Privacy: privacy@edaptlearn.com

School IT: edaptlearn.com/for-schools

Standards

RFC 9116 (security.txt) ✓
Australian Privacy Principles ✓
OAIC Notifiable Data Breaches ✓
HSTS preload-eligible ✓

Overview

Edapt is a free AI tutoring platform. We hold the minimum data needed to personalise lessons: account email, the VARK assessment answers you submit, the lesson topics you ask about, and the reflections you write into the app. We don't sell data, run advertising, or train public AI models on student work.

Transport security

TLS 1.3 enforced site-wide via Vercel's edge network.
HSTS with max-age=63072000; includeSubDomains; preload.
Automatic HTTPS redirect from any plain-HTTP entry.
HTTP/2 + HTTP/3 (QUIC) end-to-end.
Modern certificate authority (Let's Encrypt / Vercel-managed).

Data at rest

Encrypted PostgreSQL (AES-256) hosted in EU/US regions.
Daily encrypted backups, 30-day retention.
Uploaded files stored in encrypted object storage.
Secrets managed in Vercel encrypted environment store.

Authentication

Email + password (bcrypt-hashed) or Google OAuth.
Signed, short-lived session JWTs; CSRF tokens on every state-changing request.
Optional 2FA on the roadmap (Q3 2026).
Stripe handles all payment data — Edapt never sees a full card number.

AI vendors

We send prompts to LLM providers under zero-retention, no-training enterprise terms. Providers do not retain inputs or outputs beyond the time it takes to respond, and do not use them to train public models.

Groq — primary inference, zero-retention.
Cerebras — secondary inference, zero-retention.
ElevenLabs — text-to-speech for Listen mode.

Subprocessors

The complete list of third parties that process any user data on our behalf:

Vercel — application hosting, edge delivery.
Stripe — payment processing.
Groq, Cerebras — LLM inference (zero-retention).
ElevenLabs — text-to-speech.
Resend — transactional email.

Responsible disclosure

If you find a vulnerability, please email security@edaptlearn.com with steps to reproduce. We will acknowledge within 48 hours and aim to ship a fix within 30 days. We will not pursue legal action against good-faith researchers who:

Do not access, modify or destroy data that isn't their own.
Do not run automated scanners that disrupt service.
Give us a reasonable window to fix before public disclosure.

Machine-readable contact details: /.well-known/security.txt.

For school IT

School networks running Fortinet, Securly, Lightspeed, GoGuardian, Cisco Umbrella or similar should see /for-schools for allowlist domains, vendor-categorisation links and an SSL-inspection exemption template.

Acknowledgements

We'll list researchers here (with permission) once the first reports come in. Be the first.