← Back|Trust Centre

VarsityOS

Security

We protect 10,000+ students. Here's exactly how.

Security-by-Design Architecture

VarsityOS is built on Supabase (managed Postgres with RLS), hosted on Vercel (SOC 2 Type II), and protected by Arcjet at the edge. Every request passes through our security middleware before reaching your data. We follow a zero-trust model: each request is independently authenticated and rate-limited regardless of origin.

🔐Authentication

  • ✓PKCE auth flow — prevents authorization code interception
  • ✓Supabase Row-Level Security (RLS) — your data is invisible to other users at database level
  • ✓HTTP-only session cookies — JavaScript cannot read your session token
  • ✓Middleware session refresh on every request
  • ✓No plaintext passwords stored — bcrypt hashing via Supabase Auth

🛡️Network Security

  • ✓Arcjet DDoS shield + bot detection — blocks automated attacks in real time
  • ✓Sliding window rate limits: 60 req/min (general), 10 req/min (AI routes)
  • ✓Upstash Redis distributed rate limiting — survives multi-region deployments
  • ✓HSTS preloaded: max-age=63072000 (2 years) — forces HTTPS for all visitors
  • ✓Strict Content-Security-Policy blocks XSS and data injection attacks
  • ✓X-Frame-Options: DENY — prevents clickjacking in iframes
  • ✓X-Content-Type-Options: nosniff — prevents MIME-type confusion attacks

🔒Data Protection

  • ✓AES-256 encryption at rest (Supabase/AWS)
  • ✓TLS 1.3 encryption in transit — end-to-end for all connections
  • ✓API keys never exposed to browsers — server-only env vars
  • ✓Supabase service role key strictly confined to server-side code
  • ✓No third-party access to raw user data
  • ✓Source maps hidden from production builds (prevents reverse engineering)

🧹Input Validation

  • ✓All user inputs sanitized — HTML tags stripped before storage
  • ✓CSRF origin header validation on all POST/PUT/PATCH/DELETE routes
  • ✓Payload size limit: 1 MB per request
  • ✓Malicious pattern detection: XSS, SQL injection, path traversal, SSRF
  • ✓JSON body scanning for nested attack payloads
  • ✓Email format validation (RFC-5321)
  • ✓Error messages never leak stack traces or secrets to clients

💳Payment Security

  • ✓Paystack handles all card data — we never see or store card numbers
  • ✓Subscription webhooks are authenticated with a shared secret — forged callbacks are rejected
  • ✓Paystack is a PCI-DSS Level 1 compliant payment service provider
  • ✓Payment records retained 5 years for SARS tax compliance only

📱Client & PWA

  • ✓Service worker isolates cached data — no cross-origin cache leaks
  • ✓IndexedDB data scoped per origin — other sites cannot read it
  • ✓Offline sync queue uses retry logic with max 3 attempts before drop
  • ✓Sensitive credentials never written to localStorage or sessionStorage
  • ✓Permissions-Policy: camera=(), microphone=(), geolocation=() — disabled

⚖️ Legal Compliance

RegulationStatusDetail
POPIA (Act 4 of 2013)CompliantRegistered with the Information Regulator. Reg No: 2026-005658
PAIA (Act 2 of 2000)Manual filedSection 51 Manual available at /paia — 2025/2026 annual report submitted
HSTS PreloadActivemax-age=2y, includeSubDomains, preload — force HTTPS for all visitors
ECT Act (25 of 2002)CompliantElectronic communications and transactions legally binding
CPA (68 of 2008)Compliant7-day refund policy, 30-day change notice, consumer rights preserved
NCA (34 of 2005)N/ANo credit products offered — Stokvel OS is informational only

🏗️ Infrastructure Partners

Supabase

Database, Auth, Storage

SOC 2 Type II, GDPR, ISO 27001

Vercel

Edge hosting, Functions, CDN

SOC 2 Type II, ISO 27001, PCI DSS SAQ A

Arcjet

Edge security

Security middleware, bot detection, DDoS protection

Upstash Redis

Distributed rate limiting

SOC 2 Type II, GDPR

Anthropic

AI (Nova)

SOC 2 Type II, enterprise data processing agreement

Paystack

Payment processing

PCI-DSS Level 1 compliant payment service provider

Sentry

Error monitoring (no PII in error events)

SOC 2 Type II, GDPR

✦ AI (Nova) Security

Your conversations with Nova are sent to Anthropic's Claude API over TLS. We have enabled zero data retention — Anthropic does not use your messages to train models. Messages are stored in our database for paying subscribers (90 days) and deleted on request.

Nova context is scoped to YOUR data only. Your profile, budget, and tasks are injected into prompts server-side — they are never visible to other users and are never logged in a way that could cross-contaminate sessions.

Anthropic's API key is a server-only environment variable and is never exposed to browsers, source maps, or client-side bundles.

🔍 Responsible Disclosure

We take security reports seriously. If you discover a vulnerability in VarsityOS, please disclose it responsibly:

  • Email: security@varsityos.co.za
  • Subject line: SECURITY DISCLOSURE — [brief description]
  • Include: affected URL, steps to reproduce, impact assessment, your contact details
  • We will acknowledge within 48 hours and provide a fix timeline

Please do not publicly disclose vulnerabilities before we have had reasonable time to fix them (we ask for a minimum 90-day window). We do not operate a bug bounty programme at this time, but we will credit researchers in our changelog.

Out of scope: social engineering, physical access attacks, denial-of-service attacks, spam.

❌ What We Never Do

  • ✗Sell your personal information to advertisers or data brokers
  • ✗Store your payment card details (Paystack handles all card data)
  • ✗Use your Nova conversations to train AI models
  • ✗Share your academic or financial data with your institution without your consent
  • ✗Send unsolicited marketing without explicit opt-in
  • ✗Retain your data beyond the periods disclosed in our Privacy Policy
  • ✗Request your password via email or support chat (we will never ask for it)

Privacy Policy

How we process your personal information under POPIA

PAIA Manual

Section 51 manual, records held, annual report

Terms

Platform rules, subscriptions, SA law

Questions? security@varsityos.co.za