Data Security Policy

1. Overview

StudySync takes the security of your personal data seriously. This document describes the technical and organisational security measures we implement to protect user data, in accordance with Article 32 of the GDPR.

2. Data in Transit

All communications between your browser and StudySync servers are protected by:

TLS 1.2 / TLS 1.3 encryption for all HTTP connections (HTTPS enforced)
Secure, HttpOnly session cookies to prevent client-side script access
HSTS (HTTP Strict Transport Security) headers to prevent downgrade attacks

3. Data at Rest

Your data is stored in a Neon PostgreSQL database with the following protections:

Database access is restricted to application-level credentials only — no public access
All database connections require authentication via secure connection strings stored as environment variables
Passwords are never stored in plain text; they are hashed using a strong cryptographic algorithm (bcrypt)
Profile pictures are stored in Vercel Blob with access-controlled public URLs

4. Access Controls

Access to your data is strictly controlled:

All API routes require authentication — unauthenticated requests are rejected with a 401 response
Every database query is scoped to the authenticated user's ID — users cannot access each other's data
Administrative access to the database is limited to authorised personnel only
Foreign key constraints at the database level ensure data integrity and prevent orphaned records

5. Account & Authentication Security

We implement the following authentication security measures:

Session tokens are cryptographically signed and stored securely
Google OAuth sign-in delegates authentication to Google's security infrastructure
Email/password accounts use hashed and salted password storage
Sessions are invalidated upon sign-out
Account deletion immediately and permanently removes all associated data via database cascade

6. Third-Party Security

We only use reputable third-party providers with strong security postures:

Neon

SOC 2 Type II certified database provider

Security Documentation →

Vercel

SOC 2 Type II certified hosting provider

Security Documentation →

Groq

AI processing with enterprise-grade security

Security Documentation →

Each provider acts as a data processor under a Data Processing Agreement (DPA) and is obligated to maintain appropriate security measures.

7. AI Feature Security

When you use AI-powered features:

Only the specific note content required for the feature is transmitted — never your full account data
Transmissions are encrypted via TLS
Groq does not retain submitted content for model training
Input validation and sanitisation is applied to all AI-generated HTML content before storage

8. Input Validation & Application Security

The App implements the following application-level security controls:

All user inputs are validated server-side before processing or storage
AI-generated HTML is sanitised using an allowlist-based sanitiser to prevent XSS
SQL injection is prevented through the use of parameterised queries via Drizzle ORM
File uploads (profile pictures) are validated for type and size before storage
Rate limiting and request validation are enforced on all API endpoints

9. Incident Response

In the event of a security incident or data breach:

We will investigate and contain the incident immediately
Affected users will be notified within 72 hours as required by GDPR
Relevant supervisory authorities will be informed
We will implement measures to prevent recurrence

To report a security vulnerability, please contact us at support@studysync.app.

10. Regular Security Reviews

We maintain security through:

Regular dependency updates and vulnerability scanning
Automated security testing in CI/CD pipeline
Periodic manual security reviews of critical components
Monitoring of security advisories for all dependencies

11. Data Retention & Deletion

In accordance with GDPR requirements:

Data is retained only as long as your account is active
Account deletion triggers immediate and complete data removal
Backups are retained for a maximum of 7 days and are also deleted upon account removal
No data is kept for marketing or analytical purposes beyond basic usage metrics

12. Compliance & Certifications

StudySync is designed to comply with:

General Data Protection Regulation (GDPR)
EU data protection standards
Security best practices from OWASP and industry standards

Our Commitment: We are committed to maintaining the highest standards of data security and privacy. If you have any security concerns or questions, please contact us at security@studysync.app.

3. Data at Rest

Your data is stored in a Neon PostgreSQL database with the following protections:

Database access is restricted to application-level credentials only — no public access
All database connections require authentication via secure connection strings stored as environment variables
Passwords are never stored in plain text; they are hashed using a strong cryptographic algorithm (bcrypt)
Profile pictures are stored in Vercel Blob with access-controlled public URLs

4. Access Controls

Access to your data is strictly controlled:

All API routes require authentication — unauthenticated requests are rejected with a 401 response
Every database query is scoped to the authenticated user's ID — users cannot access each other's data
Administrative access to the database is limited to authorised personnel only
Foreign key constraints at the database level ensure data integrity and prevent orphaned records

5. Account & Authentication Security

We implement the following authentication security measures:

Session tokens are cryptographically signed and stored securely
Google OAuth sign-in delegates authentication to Google's security infrastructure
Email/password accounts use hashed and salted password storage
Sessions are invalidated upon sign-out
Account deletion immediately and permanently removes all associated data via database cascade

6. Third-Party Security

We only use reputable third-party providers with strong security postures:

Neon

SOC 2 Type II certified database provider

Security Documentation →

Vercel

SOC 2 Type II certified hosting provider

Security Documentation →

Groq

AI processing with enterprise-grade security

Security Documentation →

Each provider acts as a data processor under a Data Processing Agreement (DPA) and is obligated to maintain appropriate security measures.

7. AI Feature Security

When you use AI-powered features:

Only the specific note content required for the feature is transmitted — never your full account data
Transmissions are encrypted via TLS
Groq does not retain submitted content for model training
Input validation and sanitisation is applied to all AI-generated HTML content before storage

8. Input Validation & Application Security

The App implements the following application-level security controls:

All user inputs are validated server-side before processing or storage
AI-generated HTML is sanitised using an allowlist-based sanitiser to prevent XSS
SQL injection is prevented through the use of parameterised queries via Drizzle ORM
File uploads (profile pictures) are validated for type and size before storage
Rate limiting and request validation are enforced on all API endpoints

9. Incident Response

In the event of a security incident or data breach:

We will investigate and contain the incident immediately
Affected users will be notified within 72 hours as required by GDPR
Relevant supervisory authorities will be informed
We will implement measures to prevent recurrence

To report a security vulnerability, please contact us at support@studysync.app.

11. Data Retention & Deletion

In accordance with GDPR requirements:

Data is retained only as long as your account is active
Account deletion triggers immediate and complete data removal
Backups are retained for a maximum of 7 days and are also deleted upon account removal
No data is kept for marketing or analytical purposes beyond basic usage metrics

12. Compliance & Certifications

StudySync is designed to comply with:

General Data Protection Regulation (GDPR)
EU data protection standards
Security best practices from OWASP and industry standards

Our Commitment: We are committed to maintaining the highest standards of data security and privacy. If you have any security concerns or questions, please contact us at security@studysync.app.

Data Security Policy

Your Data is Protected

1. Overview

2. Data in Transit

3. Data at Rest

4. Access Controls

5. Account & Authentication Security

6. Third-Party Security

Neon

Vercel

Groq

7. AI Feature Security

8. Input Validation & Application Security

9. Incident Response

10. Regular Security Reviews

11. Data Retention & Deletion

12. Compliance & Certifications

Data Security Policy

Your Data is Protected

1. Overview

2. Data in Transit

3. Data at Rest

4. Access Controls

5. Account & Authentication Security

6. Third-Party Security

Neon

Vercel

Groq

7. AI Feature Security

8. Input Validation & Application Security

9. Incident Response

10. Regular Security Reviews

11. Data Retention & Deletion

12. Compliance & Certifications