Skip to main content
STEM Impact Academy
Trust & Security

Security Policy

Last updated: April 2026

1. Our Commitment

Protecting student data is our highest priority. We implement multiple layers of security to safeguard the platform and its users.

2. Infrastructure Security

  • Hosted on Google Cloud Platform (SOC 2, ISO 27001 certified)
  • Firebase Firestore with automatic encryption at rest
  • TLS 1.3 encryption for all data in transit
  • Automated backups and disaster recovery

3. Application Security

  • Secure HTTP-only session cookies with CSRF protection
  • Role-based access control across 12 user roles
  • Rate limiting on all API endpoints
  • Input validation and sanitization on all user inputs
  • Content Security Policy headers
  • No client-side storage of API keys or secrets

4. Authentication & Access

  • Firebase Authentication with secure session management
  • Student login via unique 6-character codes (no email/password for minors)
  • Teacher/admin login with email, password, and optional SSO
  • 14-day session expiry with automatic renewal
  • Edge middleware for role-based route protection

5. Data Protection

  • All personal data encrypted at rest (AES-256)
  • All API communication over HTTPS
  • Minimal data collection — only what's needed for platform operation
  • No advertising cookies or third-party tracking
  • Student data never sold to third parties

6. Compliance

  • COPPA compliant (children's online privacy)
  • FERPA aligned (student education records)
  • Kenya Data Protection Act, 2019 compliant
  • SOC 2 Type II certified infrastructure
  • ISO 27001 certified infrastructure

7. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@stemimpactcenterkenya.org. We ask that you:

  • Not publicly disclose the issue until we've addressed it
  • Not access or modify other users' data
  • Provide sufficient detail to reproduce the issue

We will acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

8. Incident Response

  • Dedicated incident response team
  • Affected users notified within 72 hours
  • Root cause analysis conducted
  • Preventive measures implemented
  • Regulatory authorities notified as required

9. Contact

For security inquiries, contact us at security@stemimpactcenterkenya.org.