Trust & Compliance
Security at Coachingle Study
Last updated: May 5, 2026
We handle student and tutor data with the practices below. We publish what we actually do — not what we wish we did. If a control is in progress (like SOC 2 Type 1), we say so explicitly.
Our security posture
Coachingle Study is operated by Coachingle Technologies Private Limited. The platform runs on Vercel (US/EU regions) for application hosting and PostgreSQL on Neon (US regions) for primary data storage. All US/UK student and tutor accounts have data residency in US regions; Indian institute data residency is in Asia-Pacific.
Data protection in transit and at rest
- In transit: All connections to Coachingle use TLS 1.2 or higher. HTTP traffic is redirected to HTTPS at the edge.
- At rest: Database storage is encrypted using AES-256 by our infrastructure provider (Neon). Object storage (uploaded files) is encrypted using server-side encryption.
- Backups: Daily automated backups with 30-day retention. Backups are encrypted with the same standards as primary storage.
Authentication and access
- Passwords: Stored using bcrypt with a per-user salt. We never store plaintext passwords or recoverable hashes.
- Session tokens: JWT-based sessions with rotation on each authentication. Sessions expire after 30 days of inactivity.
- OAuth: Google and GitHub OAuth supported for single-click login. We do not request more scopes than necessary.
- SSO/SAML 2.0: Available for Tutor Agency and Institute tier accounts via WorkOS integration.
- Internal access: Engineering team access is gated through SSO with 2FA required. Production database access is logged and time-bounded.
Sub-processors
We use the following sub-processors to deliver the service. We update this list when sub-processors change.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting and edge network | US, EU |
| Neon | PostgreSQL database | US (US/UK accounts) |
| AWS S3 | Object storage for uploaded files and generated assets | US (US/UK accounts) |
| Stripe Inc. | Payment processing for USD/GBP plans | US |
| OpenAI / Azure OpenAI | AI generation (cheatsheets, MCQs, essay grading) | US |
| Google Cloud (Gemini) | AI generation (alternate model paths, image generation) | US |
| Resend | Transactional email | US |
| WorkOS | SSO/SAML for Tutor Agency and Institute accounts | US |
| PostHog | Product analytics (anonymous events) | US |
Compliance and certifications
- SOC 2 Type 1: In progress. We are working with Vanta to complete SOC 2 Type 1 readiness in 2026. We will publish the report when issued. We do not currently claim SOC 2 compliance.
- GDPR: We support GDPR data subject rights. See our GDPR page for details.
- CCPA: California residents have the rights described on our CCPA page.
- DPA: A data processing agreement is available for Tutor and Institute tier customers. See our DPA page.
- FERPA: Coachingle is not currently a designated FERPA service provider. Schools that need FERPA-aligned vendor agreements should contact us directly.
- COPPA: Coachingle is not designed for children under 13. Account registration requires age 13+. We do not knowingly collect data from children under 13.
Vulnerability disclosure
Found a security issue? Email security@coachingle.com. We acknowledge reports within 2 business days and aim to remediate critical issues within 14 days.
Please do not exploit, exfiltrate, or share user data. We do not have a paid bug bounty program at this stage but will publicly credit researchers who report responsibly (with permission).
Incident response
In the event of a confirmed security incident affecting customer data, we notify affected customers within 72 hours. Notification includes the nature of the incident, data categories affected, mitigation steps taken, and recommendations for affected users.
Data retention and deletion
On account deletion, we delete user-identifiable data within 30 days. Aggregated, anonymous usage data may be retained longer for product analytics. Backups containing deleted data roll off within 30 days of the deletion request.
Questions about this page? privacy@coachingle.com