How we protect your data, accounts, and certification integrity.
Security Architecture
Every layer of the Agency Script platform is designed with security as a first-class concern โ from the edge to the database.
Passwords hashed with bcrypt (cost factor 12). Short-lived JWT sessions with refresh rotation. Multi-factor authentication available for all accounts. Fine-grained role-based access control across learner, instructor, and admin scopes.
TLS 1.3 enforced for all data in transit. AES-256 encryption at rest for sensitive fields. Strict tenant isolation at the database row level ensures no cross-account data leakage.
Immutable, append-only audit logs for every privileged action. Hash-chain integrity verification prevents retroactive tampering. Controls aligned to SOC 2 Trust Services Criteria.
Adaptive rate limiting per endpoint and per consumer. Scoped API key management with automatic rotation reminders. Request-level abuse detection and CSRF protection on all state-changing operations.
Short-lived access tokens (15 min) with secure, httpOnly refresh cookies. Step-up authentication required for sensitive operations like credential issuance. Instant session invalidation on password change.
Deployed on Vercel edge network with automatic DDoS mitigation. Neon PostgreSQL with point-in-time recovery and automated daily backups. Environment secrets managed through encrypted vaults, never checked into source.
Compliance Posture
We map our controls to widely recognized security and AI governance frameworks so enterprise teams can evaluate us with confidence.
Controls mapped to Trust Services Criteria for security, availability, and confidentiality.
Data minimization, right to erasure, Data Processing Agreements available for enterprise customers.
Consumer rights honored: access, deletion, opt-out of sale. No personal data is sold.
Risk management, data governance, and transparency obligations mapped for AI-driven assessment features.
Information security management controls aligned to Annex A. Formal certification on the roadmap.
AI risk functions (Govern, Map, Measure, Manage) applied to our certification and assessment pipelines.
Certification Integrity
An AI certification is only as valuable as the integrity behind it. We enforce anti-fraud measures at every stage of the assessment lifecycle.
Timed exam sessions with activity telemetry detect anomalous patterns and flag submissions for review.
Every lab session and exam attempt is tagged with a unique, non-removable watermark token for traceability.
Submissions are SHA-256 hashed at capture time. Any post-submission modification is cryptographically detectable.
High-tier certifications require independent review by multiple qualified assessors before credential issuance.
Credentials can be revoked instantly if fraud or policy violations are confirmed, with full audit trail.
Employers and partners can verify any credential in real time through our public verification endpoint.
Data Retention & Privacy
We collect only what is necessary, retain it only as long as required, and give you full control over your information.
Responsible Disclosure
We value the security research community. If you discover a vulnerability, we want to hear about it and will work with you to resolve it quickly.
Response time: We acknowledge reports within 2 business days and aim to provide a resolution timeline within 5 business days.
Safe harbor: We will not pursue legal action against researchers who act in good faith, follow responsible disclosure practices, and do not access or modify other users' data.
Acknowledgment: With your permission, we will recognize your contribution on our security hall of fame.
Last reviewed: March 2026
For security inquiries, Data Processing Agreements, or to request our full security documentation package, contact security@agencyscript.com.