
VarsityOS
We protect 10,000+ students. Here's exactly how.
Security-by-Design Architecture
VarsityOS is built on Supabase (managed Postgres with RLS), hosted on Vercel (SOC 2 Type II), and protected by Arcjet at the edge. Every request passes through our security middleware before reaching your data. We follow a zero-trust model: each request is independently authenticated and rate-limited regardless of origin.
| Regulation | Status | Detail |
|---|---|---|
| POPIA (Act 4 of 2013) | Compliant | Registered with the Information Regulator. Reg No: 2026-005658 |
| PAIA (Act 2 of 2000) | Manual filed | Section 51 Manual available at /paia — 2025/2026 annual report submitted |
| HSTS Preload | Active | max-age=2y, includeSubDomains, preload — force HTTPS for all visitors |
| ECT Act (25 of 2002) | Compliant | Electronic communications and transactions legally binding |
| CPA (68 of 2008) | Compliant | 7-day refund policy, 30-day change notice, consumer rights preserved |
| NCA (34 of 2005) | N/A | No credit products offered — Stokvel OS is informational only |
Database, Auth, Storage
SOC 2 Type II, GDPR, ISO 27001
Edge hosting, Functions, CDN
SOC 2 Type II, ISO 27001, PCI DSS SAQ A
Edge security
Security middleware, bot detection, DDoS protection
Distributed rate limiting
SOC 2 Type II, GDPR
AI (Nova)
SOC 2 Type II, enterprise data processing agreement
Payment processing
PCI-DSS Level 1 compliant payment service provider
Error monitoring (no PII in error events)
SOC 2 Type II, GDPR
Your conversations with Nova are sent to Anthropic's Claude API over TLS. We have enabled zero data retention — Anthropic does not use your messages to train models. Messages are stored in our database for paying subscribers (90 days) and deleted on request.
Nova context is scoped to YOUR data only. Your profile, budget, and tasks are injected into prompts server-side — they are never visible to other users and are never logged in a way that could cross-contaminate sessions.
Anthropic's API key is a server-only environment variable and is never exposed to browsers, source maps, or client-side bundles.
We take security reports seriously. If you discover a vulnerability in VarsityOS, please disclose it responsibly:
Please do not publicly disclose vulnerabilities before we have had reasonable time to fix them (we ask for a minimum 90-day window). We do not operate a bug bounty programme at this time, but we will credit researchers in our changelog.
Out of scope: social engineering, physical access attacks, denial-of-service attacks, spam.
Questions? security@varsityos.co.za