Security
Submissions, grades, and proctoring evidence are part of the academic record. This page describes exactly how Assessly protects them, and is careful not to claim anything it doesn't do.
Where we stand
Assessly is a pilot-stage platform, and we won't pretend otherwise.
We do not yet hold SOC 2 or ISO 27001 certification. Security review is continuous, independent researchers test the platform through our bug bounty program, and formal certification is on the roadmap as we grow with institutions. Everything below describes how the platform is actually built today.
01 / Data protection
Core application data and authentication run on Supabase's managed Postgres. Isolation between institutions is enforced in the database itself with row-level security. Every query is scoped to the requesting user and their institution, so each institution operates as an isolated tenant.
Sessions are short-lived, signed JWTs that rotate regularly, and every API endpoint requires valid authentication.
02 / Execution isolation
Every submission runs through Judge0 in ephemeral, unprivileged containers with no access to the host filesystem, the internal network, or other users' data. Strict time and memory limits are enforced on every run.
The execution pipeline lives on dedicated AWS EC2 servers in India (Mumbai), kept physically and logically separate from the primary database. A sandbox escape would still land on infrastructure that holds no student records, and escaping the sandbox is one of the highest-paying targets in our bug bounty program.
03 / Assessment integrity
Instructors choose which integrity modules an assessment runs: fullscreen enforcement, tab-switch tracking, copy-paste blocking, single-tab and single-device locks, browser fingerprinting, typing analysis, webcam and audio monitoring. The configuration is sealed the moment the attempt starts. Nobody, including us, changes the rules mid-exam.
The philosophy is flag, not block. Violations never auto-fail a student. Each one is logged with context and surfaced as an evidence trail a misconduct board can actually use. The decision always stays with your faculty.
The full module catalog, and exactly what each module records, is documented in the integrity and privacy guide.
The system collects the evidence. The decision stays where it belongs, with your faculty.
04 / Privacy & consent
Before a proctored session begins, students see which modules are enabled and give explicit consent at the preflight check. Only then does the session start. Each module records as little as it needs.
Analytics: signed-in product usage is captured as first-party analytics to run and improve the service, while anonymous and marketing-site analytics (and any non-essential analytics cookies) are collected only if a visitor accepts analytics cookies. Sentry handles error monitoring. Cloudflare Turnstile protects public forms from bots. Your data is never sold, and it is shared only with the subprocessors required to run the service.
Data export and account deletion are self-serve from the dashboard. Retention of institutional records, submissions and grades, is governed by each institution's agreement, since those are the institution's academic records.
05 / Responsible disclosure
We run a working bug bounty program: real findings, fixed and credited. Valid reports earn recognition in the hall of fame, a verifiable researcher certificate, and cash rewards for impactful findings.
Found something? Read the program rules and scope and submit through the report form, or write to hello@assessly.in for anything urgent.
06 / Subprocessors
Assessly runs on a small, named set of infrastructure and AI providers: Supabase, AWS, Vercel, Cloudflare, OpenAI, Groq, Deepgram, Cartesia, PostHog, Sentry, Resend, and Better Stack, each limited to the minimum data required for its job.
The full list, with each vendor's purpose and data region, is public on the subprocessors page.
Found a vulnerability? Our bug bounty program rewards responsible disclosure, and credits the researchers who make the platform safer.