AttendEase

Security at AttendEase

We handle biometric data from students, so security isn't optional — it's foundational to everything we build.

Currently in Beta

We're a startup building security the right way from the start. We don't yet have formal certifications like SOC 2, but we've designed the platform with FERPA, COPPA, and BIPA requirements in mind. Here's what we've built so far and how we think about security.

How We Protect Your Data

Encryption in Transit

All communication between cameras, browsers, and servers is encrypted using TLS. Camera provisioning uses Ed25519 signatures and X25519 key exchange for additional protection.

Credential Protection

Passwords are managed through Supabase Auth with secure hashing. SIS integration credentials are encrypted using XSalsa20-Poly1305. Internal service keys are hashed with Argon2id.

Authentication & Rate Limiting

JWT-based authentication with CSRF protection. Rate limiting on signup, login, and API requests to prevent abuse. CORS is configured with an explicit allowlist.

Role-Based Access Control

Five distinct roles (Student, Parent, Teacher, Admin, Developer) with strict permissions. Teachers see their classes. Parents see their children. Each school's data is fully isolated.

Audit Logging

Attendance records from both cameras and teachers are logged in append-only audit tables. Configuration changes are tracked through event sourcing.

Multi-Tenant Isolation

Each school's data is completely isolated. There is no cross-organization data access. All queries are scoped to the user's organization.

Biometric Data Security

Biometric data is the most sensitive information we handle. Here's how we approach it — honestly, including where we're still improving.

Mathematical Representations

We store 512-dimensional facial embeddings — mathematical vectors that can't be used to reconstruct someone's face. These are what the system uses for matching.

Photos Are Also Stored

Enrollment photos and camera frame images are stored in cloud storage with access controls. These are used for enrollment and administrator review of unrecognized faces.

Organization-Level Isolation

All biometric data is scoped to the school that collected it. No cross-organization access is possible.

Deletion on Request

When a student leaves or consent is withdrawn, their biometric data — embeddings and photos — is deleted.

Camera System Security

Encrypted communication using XSalsa20-Poly1305
Ed25519 signature verification during provisioning
Bluetooth provisioning with key exchange
Live streaming restricted to administrators only

Designed for Compliance

These regulations guide how we build and operate. We're working toward full compliance and formal certifications as we grow.

FERPA

Role-based access controls, data isolation between schools, and audit logging support FERPA's requirements for handling student education records.

Designed to Meet

COPPA

Student accounts are created by school administrators, not by children directly. Schools act as the intermediary for parental consent.

Designed to Meet

BIPA

We require written consent before collecting biometric data, never sell or share it, and delete it when consent is withdrawn or the student leaves.

Designed to Meet

Where We're Headed

We plan to pursue SOC 2 certification and third-party security audits as we grow past beta. Right now, we're focused on getting the fundamentals right — access control, data isolation, encryption in transit, and audit logging. If you have specific security questions, we're happy to walk you through our setup.

Security Practices

Application Security

  • CSRF protection with timing-safe token comparison
  • Content Security Policy and security headers
  • Rate limiting on authentication and API endpoints
  • Explicit CORS allowlist (fail-closed in production)

Data Protection

  • TLS encryption for all data in transit
  • Sensitive credentials encrypted at rest
  • Complete data isolation between schools
  • Configurable data retention periods per organization

Access Security

  • Five-tier role-based permission system
  • JWT-based session management
  • Short-lived, single-use WebSocket tickets
  • Permissions-Policy headers (geolocation, microphone, camera disabled in browser)

Incident Response

  • Prompt notification of affected schools
  • Root cause investigation
  • Audit log review
  • Fixes and preventive measures

Questions About Security?

We're happy to walk you through our security setup in detail.

Contact Us Request a Demo