Security Practices

Last updated: March 20, 2026

1. Our Approach

BookPulse, operated by Baarstad Consulting Services, takes the security of your data seriously. This page describes the security measures we have in place to protect teacher and student information. We believe in transparency — we describe what we actually do, not aspirational goals.

2. Encryption

  • In transit: All data transmitted between your browser and BookPulse is encrypted using HTTPS with TLS. This applies to every page, API call, and file transfer.
  • At rest: Our database (hosted by Supabase) encrypts all stored data at rest. This includes student responses, teacher account information, and all application data.

3. Authentication and Access Control

  • Teacher authentication: Teachers log in via Google OAuth or email and password. Session management uses secure, httpOnly cookies that cannot be accessed by client-side JavaScript.
  • Student authentication: Students authenticate with their first name, last initial, and a password. Passwords are cryptographically hashed using industry-standard algorithms before storage. No one — including BookPulse staff — can read a student's password.
  • Admin access: Administrative functions are restricted to a whitelisted email address. There is no general admin registration.
  • Row-Level Security: Every database table uses Supabase Row-Level Security (RLS) policies. Teachers can only query their own classes and students. Students can only access their own responses. These policies are enforced at the database level, not just the application level.

4. Application Security

  • Server-side enforcement: Authentication and authorization are enforced via server-side middleware. API endpoints verify user identity and permissions before processing any request.
  • Rate limiting: Sensitive endpoints (including AI feedback evaluation) are rate-limited to prevent abuse.
  • Input validation: User inputs are validated server-side before processing. Database queries use parameterized statements to prevent SQL injection.
  • No client-side secrets: API keys and sensitive credentials are stored as server-side environment variables and are never exposed to the browser.

5. Data Isolation

  • Teacher data is isolated by account. One teacher cannot access another teacher's classes, students, or data.
  • Student data is scoped to their assigned class and teacher. Students cannot access other students' responses.
  • AI feedback requests are de-identified — no student names or identifying information are included in API calls to Anthropic.

6. Infrastructure

  • Application hosting: Vercel (US-based). Automatic HTTPS, DDoS protection, and edge network distribution.
  • Database hosting: Supabase (US-East region). Managed PostgreSQL with automated backups, encryption at rest, and network-level access controls.
  • Payment processing: Stripe handles all payment data. BookPulse never processes or stores credit card numbers.
  • Email delivery: Resend handles transactional emails to teachers only. No student email addresses are collected.

7. Development Practices

  • All code changes are committed to version control (Git) before deployment.
  • Deployments are automated from the main branch — no manual server access required.
  • TypeScript strict mode is enabled across the codebase for type safety.
  • Environment variables for secrets are managed through the hosting provider's secure configuration.

8. What We Don't Have (Yet)

In the interest of transparency, here are security measures we have not yet implemented:

  • SOC 2 Type II certification
  • Third-party penetration testing
  • A formal bug bounty program
  • A published SLA with uptime guarantees
  • Multi-factor authentication for teacher accounts
  • Centralized security event monitoring (SIEM)

We are a small company building for classrooms. As we grow, we plan to invest in these areas. If any of these are requirements for your school or district, please contact us so we can discuss your needs.

9. Incident Response

In the event of a security incident or data breach, we will:

  1. Investigate and contain the incident as quickly as possible
  2. Notify affected users and schools within 72 hours of discovery
  3. Provide a clear description of what happened, what data was affected, and what steps we are taking
  4. Work with affected parties to mitigate any impact

To report a security concern, contact us at support@readbookpulse.com or via our contact form.

10. Contact

For security-related questions or to report a concern, contact us at support@readbookpulse.com or visit our contact page.

Privacy PolicyTerms of ServiceFERPA Compliance