# Security — Assessly

> Our security model: Row-Level Security on every sensitive table, role-based access control, sandboxed code execution, hidden test-case protection, and a clear disclosure path.

**URL**: https://assessly.in/security
**Last updated**: 2026-04-17

## Key controls

- RLS-enforced multi-tenant isolation by `institution_id`.
- Roles stored in a dedicated `user_roles` table (never on profiles) to prevent privilege escalation.
- Edge functions verify Turnstile and JWTs before invoking paid APIs.
- Hidden test cases never reach the client.
- Cloudflare Turnstile gates sign-up, password reset, and contact form.

## Disclosure

Report vulnerabilities to **security@assessly.in**.

## Related

- [Privacy](/privacy/index.md)
- [Terms](/terms/index.md)