Plain answers about your team’s data.

Where customer data lives

Customer data — user accounts, organisation membership, study activity, mock exam responses, calibration scores, training records — is stored in Supabase (Postgres) hosted in the United States. Daily encrypted backups; backups retained 30 days. Application code runs on Vercel’s edge network with the primary region in the US.

What we store about each user

• Account fields: email, hashed password (bcrypt), display name, organisation membership and role.
• Study activity: question attempts, time-on-task, mock-exam responses, self-explanation text, calibration ratings, readiness scores.
• Billing metadata: organisation name, billing email, seat count, plan tier, Stripe customer ID. We do not store credit card numbers, CVVs, or bank details — Stripe handles those directly under their PCI DSS Level 1 compliance.
• No special categories: we don’t collect government IDs, social security numbers, health records, or any GDPR special-category data.

Encryption & internal access

All traffic is TLS 1.3. Data at rest is AES-256-encrypted in Supabase’s managed Postgres. Internal access to production data is limited to the engineering team via 2FA-protected accounts; access is audited. We do not export production data to laptops or unmanaged systems.

AI & model training

Question banks are authored using AI tooling (primarily Anthropic) under a structured editorial pipeline with subject-matter review. We do not send customer learner data — study activity, mock answers, self-explanation responses, or calibration history — to any third-party model provider. Your team’s data is not used to train, fine-tune, or evaluate any AI model.

GDPR & CCPA posture

For team customers, CertPrep Studio acts as a data processor and you (the customer) act as the controller. We sign a standard mutual Data Processing Agreement reflecting the processor obligations under GDPR Art. 28 and the equivalent under CCPA. Standard Contractual Clauses are included for any EU-origin data. Email hello@certprepstudio.com for the unsigned DPA.

Data export & deletion

Team admins can export the full per-employee training-record dossier at any time directly from the admin dashboard (PDF + CSV). Org-level deletion: email support@certprepstudio.com. We delete production records within 30 days; backups roll off on the 30-day backup retention cycle. Individual users can delete their account from account settings.

Incident response

On confirmed security incident affecting customer data, we notify affected customers within 72 hours, with details of what was accessed, what we’ve done, and what you should do. We maintain an incident-response runbook covering detection, containment, customer notification, and post-mortem. No incidents to report at time of writing.

Audit posture

We are not currently SOC 2 Type II audited. For enterprise customers requiring SOC 2 controls, we share controls documentation, our subprocessors list (below), and a CAIQ-Lite security questionnaire on request. SOC 2 audit is on the 2027 roadmap. Happy to discuss timing if your procurement team requires it before contracting — email hello@certprepstudio.com.