Authentication and sessions
IQEducate uses Google OAuth for sign-in. We never ask users to create or store a password with us, which removes an entire category of credential-handling risk. Sign-in is delegated to Google, and we only receive the identity details needed to establish an account.
Once signed in, users are issued server-side sessions rather than long-lived tokens held in the browser. Session state is managed on the server so access can be governed and revoked centrally.
Per-organization data isolation
IQEducate is multi-tenant, so keeping one organization's data invisible to another is fundamental. Every tenant record carries an organization identifier, and isolation is enforced on the server for each request — not left to the interface to hide.
- Organization scoping is checked server-side on every data request.
- Role-based permissions determine what each member can see and do within their own organization.
- External learners in client portals only see the content explicitly assigned or made visible to them.
Roles, permissions, and audit logging
Access inside an organization is governed by defined roles — org admin, content admin, teacher, manager, learner, and external learner — each mapped to specific permissions. When multiple roles apply, the highest applicable privilege resolves.
Administrative actions are recorded in an audit log so that changes to sensitive configuration and membership can be reviewed after the fact.
API keys, webhooks, and integrations
The REST API authenticates with API keys that are stored as SHA-256 hashes rather than in plain text, and each key is limited to scoped permissions. Outbound webhooks are signed with HMAC so receiving systems can verify that a payload genuinely came from IQEducate.
Storage and data in transit
Application data is stored in PostgreSQL, and uploaded files and generated documents such as certificates are kept in object storage with access controls. Traffic between clients and our servers is protected with TLS in transit.
Responsible disclosure
If you believe you have found a security issue in IQEducate, we want to hear about it. Security reports can be sent through the contact channel on this site. Please give us enough detail to reproduce the issue, and allow reasonable time to investigate and respond before any public disclosure. We appreciate researchers who report responsibly.
Frequently asked questions
Does IQEducate store passwords?
No. Sign-in is handled through Google OAuth, so there are no IQEducate passwords to create, reset, or leak. We only receive the identity details needed to establish an account.
Is IQEducate SOC 2 or ISO 27001 certified?
No. We do not currently hold SOC 2, ISO 27001, or similar certifications, and we will not claim otherwise. We describe our security as an engineering practice and list the concrete controls we have in place.
How is one organization's data kept separate from another's?
IQEducate is multi-tenant. Every tenant record carries an organization identifier, and that scoping is enforced on the server for every request, so members of one organization cannot access another organization's data.
How do I report a security vulnerability?
Please use the contact channel on this site to send a report. Include enough detail to reproduce the issue and allow reasonable time for us to investigate before public disclosure.