Security & data

MENAverse is built for schools. Here is how we handle authentication, access control, and student data.

Hosting

Application and database are hosted on Supabase (PostgreSQL). Data is encrypted in transit via HTTPS/TLS on every request.

Roles

Three roles — student, teacher, admin — each with distinct permissions. Row-level security policies in the database enforce that teachers only see their enrolled students.

Authentication

Supabase Auth handles sign-in with email and password. Server middleware sets session cookies with HttpOnly, Secure (on HTTPS), and SameSite=Lax. Password reset uses secure email links.

Access control

Row-level security enforces that students only see their own progress and teachers only see subjects they teach for each enrolled student. Automated API checks cover answer leakage, cross-student, and cross-teacher access.

Browser hardening

Responses include Content-Security-Policy, Strict-Transport-Security (HTTPS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers.

No ads, no data sales

We do not display advertising or sell, rent, or share student learning data with third parties for marketing.

Class codes

Students join via class codes (format MENA-XXXX) generated server-side. Codes can be regenerated by teachers without affecting enrolled students.

Full details in our Privacy Policy.