Privacy & Security
ZERO-PERSISTENCE DELIVERY PROTOCOL
AI Privacy: Sandboxed
Intellectual Property & AI
We prioritise the protection of author and institution intellectual property. The usage of our AI tools does not contribute in any way to any LLM training.
- Sandboxed Environment: Any use of the AI tool and data handled by these tools is strictly sandboxed to those with authorised permissions only.
- Data Control: Customers retain full, granular control over access permissions and the secure deletion of their data.
Delivery: Encrypted Streaming
Zero-Download Architecture
Case Conduit eliminates the vulnerabilities of traditional file distribution. Content is streamed directly to students via encrypted connections—never stored as downloadable files on their devices.
- Streaming Delivery: Case content is transmitted in real-time over encrypted WebSocket connections. No files are written to permanent storage on student devices.
- No Download Button: Students cannot download, save, or redistribute cases. Content exists only during the active session, eliminating the primary leak point in digital education.
- Automatic Purge: For BYOC cases, all uploaded materials are automatically deleted from our servers 24 hours after your session ends. For Native cases, access tokens expire immediately when the session closes.
Encryption: AES-256-GCM + TLS 1.3
End-to-End Encryption
All data is protected with AES-256-GCM encryption at rest and TLS 1.3 in transit, ensuring your intellectual property remains confidential throughout the delivery process.
- Data at Rest: Cases are encrypted with AES-256-GCM before being stored. Encryption keys are rotated regularly and stored separately from the data.
- Data in Transit: All connections use TLS 1.3 with forward secrecy. Every classroom session generates unique encryption keys that are destroyed when the session ends.
- Immutable Backups: Our cloud-native architecture uses immutable storage snapshots to prevent ransomware attacks. Data cannot be encrypted or deleted by unauthorised parties.
- Zero-Knowledge Architecture: Your case content is encrypted before it reaches our servers. We cannot read your intellectual property even if we wanted to.
Infrastructure: Globally Distributed
Enterprise-Grade Infrastructure
Case Conduit runs on globally distributed cloud infrastructure with automatic failover, ensuring consistent availability and performance for classrooms worldwide.
- Geographic Distribution: Content is automatically routed through the nearest regional node to minimize latency for your students, regardless of location.
- Automatic Scaling: Infrastructure scales dynamically to handle classroom demand—from 10 students to 1,000+ concurrent users without performance degradation.
- 99.9% Uptime Target: Multi-region redundancy ensures your sessions remain accessible even during infrastructure failures in any single geographic zone.
- GDPR & Data Residency: For EU-based institutions, we can ensure data remains within EU regions to comply with data protection regulations.
Identity: Isolated & Hashed
Identity & Payment Security
Personal credentials and financial data are stored in isolated systems with industry-standard security practices.
- Password Security: Passwords are hashed using bcrypt with unique salts. We never see or store your actual password in plain text.
- Data Isolation: Personal information, case content, and financial data are stored in separate databases with independent access controls.
- PCI-DSS Compliance: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We never store full credit card details on our servers.
- Two-Factor Authentication: Optional 2FA available for all accounts to prevent unauthorised access even if passwords are compromised.
Compliance: SOC 2 Track
Compliance & Transparency
We are committed to meeting the security and privacy standards expected by educational institutions worldwide.
- SOC 2 Compliance (In Progress): We are working toward SOC 2 Type II certification to demonstrate our commitment to security, availability, and confidentiality.
- GDPR Ready: Data processing agreements, data residency options, and right-to-deletion workflows are built into the platform from day one.
- Regular Security Audits: Third-party penetration testing and security audits will be conducted annually once the platform exits beta.
- Transparent Incident Response: In the event of a security incident, affected users will be notified within 72 hours with full details of the breach and remediation steps.