Trust & procurement

Security

Security is a core product requirement, not a launch checklist. Here is how we protect exam data and isolate every university.

Examination Center is in early access — we're onboarding institutional pilots. The information here describes our current platform and direction and may evolve; it is not a contractual commitment.

Last updated: 2026-06-18

Architecture

A controlled, AI-free coding environment runs client-side in the browser (Python via Pyodide/WASM today; more languages planned). A Flask application and PostgreSQL database back instructor monitoring, with strict per-organization data isolation. "Controlled" means the in-app editor has no AI assistant or autocomplete; it does not take over the student's full browser or device.

Access control

Every API route enforces authorization server-side — the UI hiding a control is never the security boundary.
Role-based access across four scopes (platform → organization → course/exam → section) with least privilege.
Organization / course / section separation: a user can only read or modify resources within their own organization; object IDs are always scope-checked.
Student sessions are bound to a server-issued secret, so a session ID alone cannot be replayed.
Sensitive actions are written to an audit log.

Data protection

All traffic is served over HTTPS/TLS.
Secrets are held in environment configuration, never in source control; the repository history is clean of credentials.
Billing, when enabled, is designed to be driven only by signature-verified, idempotent webhooks — never by client input.
The database has point-in-time recovery enabled; off-site per-exam backups are being rolled out.

Records, exports & retention

Instructors can export sessions, events, and integrity reports (JSON/CSV) for their records. Exam-data retention controls are described on Data retention.

Verification

We have completed an internal review against OWASP ASVS Level 2 (access control, organization isolation/IDOR, billing integrity, secret hygiene), following CISA Secure-by-Design and NIST SSDF practices, and track findings to remediation. This is an internal review; independent third-party certification is on our roadmap and not yet completed.

Secure development

Security work is ongoing and tracked as a roadmap: server-side authorization on every route, tenant-isolation checks, dependency and secret hygiene, and continued ASVS-guided hardening. We describe capabilities as available today only where stated.

Academic integrity

No built-in AI assistant and no autocomplete in the exam editor. Integrity signals (paste, large edits, sudden code, cross-student similarity) are surfaced as evidence for human review — the platform never assigns guilt or a grade, and does not claim to detect AI use.

Report a vulnerability

See our vulnerability disclosure policy or email security@examination.center.

Request a pilot Book a demo →