Security is not a feature. It is the architecture.

JWT signing against the platform's JWKS. Every LMS launch token is signed by the platform's private key. We verify the signature against the platform's published JWKS — the same trust mechanism used by OAuth 2.0. Issuer, audience, nonce, expiration, and LTI version are all checked.

Nonce replay protection. Every launch carries a single-use nonce in a short-lived HttpOnly cookie. A captured launch token cannot be replayed — the second attempt fails because the nonce has already been consumed.

DNS TXT domain verification. Institutions prove they control the domain they registered by publishing a TXT record on <code>_setflow-lti-verify.&lt;domain&gt;</code>. Same trust model as SSL Domain-Validation certificates. Unverified platforms still launch (for back-compat with pilot installs) but surface a yellow warning banner.

Partitioned cookies (CHIPS). LTI session cookies use the Partitioned attribute (Chrome 132+ CHIPS). The cookie is isolated to the LMS embedding partition — it cannot leak across origins.

Origin / Referer defense-in-depth. The launch endpoint cross-checks the request's Origin header against the platform's expected authentication URL. A stolen JWT replayed from elsewhere still fails this second lock.

Frame-ancestors allow-list. SetFlow content is iframable <em>only</em> by verified LMS domains. Every other origin gets <code>frame-ancestors 'none'</code> + <code>X-Frame-Options: DENY</code>. The open web cannot embed us; your verified LMS can.

Strict-Transport-Security. Forces HTTPS for 2 years (max-age=63072000) with includeSubDomains. No downgrade attacks; no man-in-the-middle even on first visit (after HSTS preload).

Content-Security-Policy. Explicit allow-list of which origins can load resources. Blocks XSS that gets past Next.js's default escaping; blocks data exfiltration to attacker-controlled servers.

frame-ancestors. <code>none</code> by default; dynamically relaxed only for verified LMS domains on iframable routes after a verified LTI launch.

X-Content-Type-Options: nosniff. Prevents MIME-type sniffing attacks — a user-uploaded "image" cannot be rendered as JavaScript.

Referrer-Policy. <code>strict-origin-when-cross-origin</code> — limits referrer data sent to third parties. Full URL on same-origin requests; origin-only across sites.

Permissions-Policy. <code>camera=(self), microphone=(self), geolocation=(), interest-cohort=()</code>. Camera and microphone usable only by SetFlow itself (for voice mode and proctoring). FLoC / Topics tracking explicitly disabled.

Cross-Origin-Opener-Policy. <code>same-origin</code>. Prevents cross-origin window references that could be used in side-channel attacks.

Cross-Origin-Resource-Policy. <code>same-origin</code>. Resources are only loadable by SetFlow origins.

AES-256-GCM. The same encryption standard used by the US government for classified information. Used for every BYODB connection string, every OAuth token, every sensitive credential. GCM is <em>authenticated</em> encryption — it provides both confidentiality and integrity, so a tampered ciphertext is detected and rejected rather than silently decrypted to garbage.

Field-level encryption on user free-text. Every free-text field that could contain personal disclosure is encrypted at rest with AES-256-GCM: <code>User.bio</code>, <code>User.toriContext</code> (what you told Tori about yourself), <code>StudentAccommodation.studentNotes</code> (your own disclosure), <code>StudentAccommodation.teacherNotes</code> (educator observations). The application decrypts on read; the database sees only ciphertext.

Hashed IP addresses. Client IP is needed in memory at session creation so we can resolve country/city for the live globe. Immediately after that resolution the IP is hashed (HMAC-SHA256 with a server salt) and the hash is what gets stored. The plaintext IP never reaches durable storage. A leaked Session row tells you "this session existed" but cannot tell you which household / network it came from.

Hashed TOTP backup codes. Two-factor backup codes are stored as hashes, never plaintext. A leaked User row cannot be used to bypass 2FA.

Unique IV per encryption. 12-byte IV generated via cryptographically secure RNG (Node's <code>randomBytes</code>) on every encryption. Never reused across messages.

Scrypt key derivation. Keys are derived from a master secret using scrypt — a memory-hard function that makes brute-force attacks computationally infeasible. Far more resistant to GPU- and ASIC-based attacks than PBKDF2 or bcrypt.

Versioned envelope. Ciphertext is stored as <code>v1:&lt;iv&gt;:&lt;tag&gt;:&lt;ct&gt;</code>. The version prefix lets us migrate to v2 schemes without a flag-day database migration.

Key isolation. Keys are never stored in source code, in environment files that ship to the client side, or in log files. Production keys live only in Vercel's encrypted environment vault. Migration to a managed KMS (AWS KMS / GCP KMS) is on the near-term roadmap.

FIPS-compatible primitives. AES-GCM and SHA-2 are FIPS 140-3 approved. Argon2id (used where applicable) is currently outside FIPS but offers stronger resistance against GPU-based attacks; the trade-off is documented.

Session cookies. <code>HttpOnly</code> (no JavaScript access; immune to XSS-based session theft), <code>Secure</code> (HTTPS only), <code>SameSite=Lax</code> (cross-site request protection while still supporting top-level navigation). NextAuth session cookie uses the <code>__Secure-</code> prefix; CSRF token uses the <code>__Host-</code> prefix to prevent subdomain attacks.

LTI integration cookies. <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite=None</code>, <code>Partitioned</code>. The Partitioned attribute (CHIPS) is required for correct operation in LMS iframes under Chrome 132+. The cookie is isolated to the LMS embedding partition — it cannot be read or set from other origins.

Cookie consent. Non-essential cookies (analytics, marketing) require explicit consent via our in-product cookie banner. Until you accept, analytics tooling stays in memory-only mode and never writes a persistent identifier.

Do Not Track. When your browser sends DNT, we disable Google Analytics 4 on our public marketing pages entirely — the gtag.js script is never injected, no requests are made.

Detection. Vercel observability + Neon alerts + custom error tracking trip on anomaly thresholds.

Containment. Founder is on-call 24/7. Incident-response runbook gates rollback decisions and customer-impact assessment.

Customer notification — first contact. Affected school admins are emailed within 4 hours of a confirmed incident affecting their tenant. The /status page is updated within 30 minutes for site-wide events.

Breach notification — written commitment. We will deliver written breach notice to the institution's designated contact on file <strong>within 72 hours of confirming unauthorized access to their data</strong>. The notice will describe what happened, what data was affected, what we are doing to investigate and remediate, and what affected individuals can do to protect themselves. We will notify individual users as required by applicable law.

No "let us understand the scope" delay. We will not wait to "understand the full scope" before notifying. Initial notice goes out within 72 hours with what is known at that time; follow-up notices update the picture as the investigation progresses.

Post-mortem. Public post-mortem on the blog within 14 days for any incident that affected more than one school. Honest about what failed and what we changed.