Security

Trust & Security

Last updated: May 2026. This page summarises how CourseFoundry stores, processes, and protects your data. For enterprise customers, a signed Data Processing Agreement (DPA) is available on request — see our DPA template.

Infrastructure & Hosting

Application hostingVercel (Edge Network, US regions by default)
Database & authSupabase (PostgreSQL). Default region: US-East. Enterprise workspaces can elect EU (Frankfurt) data residency via Settings → Data Residency. User authentication always runs through the US Supabase Auth service; only course and workspace content is region-routed.
File storageSupabase Storage (same region as the workspace database)
Course publishingGitHub Pages (customer-owned repositories — your published content stays in your infrastructure)

EU Data Residency (Enterprise)

Enterprise workspaces can pin their course and workspace data to the EU (Frankfurt, Germany) region. Once enabled from Settings → Data Residency, all new course files, lessons, and workspace metadata are written to a Supabase PostgreSQL instance hosted in Frankfurt (EU-Central-1).

Data at restAES-256 via Supabase managed encryption, Frankfurt data centre
Authentication dataUser credentials and JWT sessions are managed by Supabase Auth in the US project. Email addresses and auth tokens are not region-isolated. If full EU auth isolation is required, contact us.
Changing regionUS → EU: self-service via Settings (Enterprise plan required). EU → US: requires a support-assisted data migration — contact us.
Applicable regulationGDPR Chapter V (International transfers) — EU residency removes the need for SCCs for course data. Auth data transfer to the US is covered by EU-US Data Privacy Framework (self-certification in progress) and our standard SCCs.

Encryption

  • In transit: TLS 1.2 minimum, TLS 1.3 preferred, on all customer-facing endpoints.
  • At rest: AES-256 via Supabase managed encryption (PostgreSQL + Storage).
  • GitHub deploy keys: Ed25519 key pairs encrypted with libsodium sealed-box before storage.
  • Customer-managed keys: Not currently offered. On the roadmap for Enterprise customers.

Backup & Disaster Recovery

  • Backup schedule: Daily automated logical backups via Supabase, 30-day retention.
  • RPO (Recovery Point Objective): ≤ 24 hours.
  • RTO (Recovery Time Objective): ≤ 72 hours.
  • Course content: Courses can be committed to your GitHub repository at any time, giving you a sovereign copy independent of CourseFoundry's infrastructure.

Incident Response

  • Customer notification: Within 48 hours of CourseFoundry becoming aware of a breach affecting your data.
  • Regulatory notification: Within 72 hours, as required by GDPR Article 33.
  • Contact: security@coursefoundry.com
  • Vulnerability disclosure: Responsible disclosure at security@coursefoundry.com. No bug bounty programme currently.
  • Penetration testing: Annual external test by a CREST-accredited firm. Executive summary available under NDA on request.

AI & Your Data

  • AI provider: Anthropic (Claude). CourseFoundry uses the Anthropic API under commercial terms.
  • Training opt-out: Anthropic's commercial API terms explicitly prohibit training on customer data by default. Your course content is never used to train AI models.
  • Zero Data Retention (ZDR): Available for Enterprise customers on request. With ZDR, Anthropic does not store prompts or completions beyond the API call.
  • Prompt logging: CourseFoundry logs token counts and workflow types for billing purposes. Full prompt content is not logged by default.
  • AI disable: Enterprise customers can disable AI features org-wide. Contact us to arrange this.

Certifications & Compliance

StandardStatus
SOC 2 Type IIIn progress — Vanta tooling engaged, audit scheduled Q3 2026
ISO/IEC 27001Planned Q4 2026, following SOC 2 Type I
Cyber Essentials PlusIn progress
EU-US Data Privacy FrameworkSelf-certification in progress
GDPR (EU)Compliant — DPA available on request for Enterprise customers
UK GDPRCompliant — UK IDTA available on request

Subprocessors

CourseFoundry uses the following third-party subprocessors. We will provide 30 days' notice of any new subprocessor addition via email to affected Enterprise customers.

SubprocessorLocationPurpose
SupabaseUSA (default) · EU (Frankfurt, Enterprise)Database, authentication, file storage. Course data can be pinned to EU for Enterprise workspaces.
VercelUSA + EdgeApplication hosting, serverless functions, analytics
AnthropicUSAAI Forge features (course generation, analysis, chat)
GitHubUSA (primarily)Version control, course publishing via GitHub Pages
StripeUSAPayment processing and subscription management
ResendUSATransactional email delivery
ZoteroUSAReference library sync (only when user enables Zotero integration)

Your Rights

  • Access & portability (Art. 15, 20): Download all your data from Settings → Export My Data.
  • Erasure (Art. 17): Delete your account in Settings. All data is permanently removed from our systems within 30 days.
  • Rectification (Art. 16): Update your profile in Settings at any time.
  • DPA / SCCs: Enterprise customers can request a signed Data Processing Agreement. View our DPA template.

Contact

Security questions: security@coursefoundry.com
Privacy & data requests: privacy@coursefoundry.com
Enterprise DPA requests: enterprise@coursefoundry.com