Security Practices

Encryption at rest

All data stored in Google Cloud (Firestore and Cloud SQL) is encrypted at rest using AES-256 by default, managed by Google Cloud KMS. No additional configuration is required to enable this protection.

Encryption in transit

All traffic between clients and Auriga services is encrypted with TLS 1.2 or higher. Older cipher suites are disabled. HSTS headers enforce HTTPS-only access.

Firebase Authentication

User authentication is handled by Google Firebase Auth. Auriga never stores plaintext passwords. Passwords are hashed and managed entirely by Firebase.

Multi-Factor Authentication (MFA)

TOTP-based MFA is available for all users via an authenticator app (Google Authenticator, Authy, etc.). School administrators can require MFA for all users in their institution.

Token-based API access

All API requests require a short-lived Firebase ID token (1-hour expiry). Tokens are verified server-side on every request. No long-lived API keys are issued to end users.

Multi-tenant isolation

Every database query is scoped to a tenant ID. Cross-tenant data access is prevented at the middleware layer. Requests missing a valid tenant scope are rejected by default.

Idle session timeout

Authenticated sessions automatically expire after 30 minutes of inactivity on the server. The browser client shows a 60-second warning before automatic logout. Users can extend their session by clicking 'Stay Logged In'.

Secure cookies

Authentication cookies are set with HttpOnly, Secure, and SameSite=Strict flags to prevent CSRF and XSS attacks.

Google Cloud Platform

Auriga runs on Google Cloud Platform (GCP), which is SOC 2 Type II, ISO 27001, and FedRAMP certified. GCP's shared responsibility model provides physical security, hardware security, and network perimeter controls.

Cloud Run (serverless)

Application services run on Google Cloud Run. Each request is served in an isolated container. There is no persistent server state between requests.

Rate limiting

All API endpoints are protected by Redis-backed rate limiting. Different tiers apply to authenticated and unauthenticated routes. Excessive request rates trigger temporary blocks.

Security headers

HTTP security headers are enforced on all responses: Content-Security-Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Permissions-Policy.

Comprehensive audit trail

All data access and modification events across 52+ API endpoints are recorded in an append-only audit log. Each entry captures the user ID, tenant ID, action, resource type, resource ID, and timestamp.

Audit log retention

Audit logs are retained for 7 years (2,555 days) in accordance with FERPA record-keeping standards. Logs are stored in Firestore with restricted access.

Admin access

School administrators can view the audit log for their institution through the compliance dashboard at /admin/compliance.

Dependency scanning

Dependencies are automatically scanned for known vulnerabilities using GitHub Dependabot. Critical and high-severity vulnerabilities are patched within 72 hours.

Responsible disclosure

We accept responsible disclosure reports at security@auriga.education. We aim to acknowledge reports within 48 hours and release fixes within 14 days for critical issues.