Security & trust
Enterprise data, protected by design.
lrnit is built multi-tenant from the database up. Your organization’s knowledge and your people’s data stay isolated, access-controlled, and auditable.
Subprocessors
These are the third-party services that process data on our behalf, and what each one sees.
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Database, authentication, storage | All application data, including the Learner Graph |
| Vercel | Application hosting & compute | Request data and server logs |
| OpenRouter | AI gateway to model providers | Generation prompts: learner profile context, lesson content, answers |
| Google Cloud | Text-to-speech & embeddings | Lesson text sent for narration and similarity matching |
| Sentry | Error monitoring | Error traces and diagnostic metadata (no auth tokens) |
| E2B | Sandboxed code execution | Code you write and run in project lessons |
| Brave Search | Web content discovery | Search queries derived from course topics — no personal data |
Tenant isolation
- Row Level Security is enabled on every table holding organization or learner data.
- Each company’s data is scoped by organization; one tenant can never read another’s rows.
- Privileged reporting runs through audited security-definer functions that verify admin rights before returning org-scoped data. They never widen row access.
- Company knowledge documents are retrievable only within the owning organization, enforced at the database layer.
Authentication & access
- Authentication is handled by Supabase Auth with secure, http-only session cookies.
- Role-based access control: owner, admin, and member roles gate every admin surface and action.
- Seat limits are enforced server-side on invite and acceptance.
- Enterprise SSO / SAML can be enabled for your identity provider on request.
Data handling
- All database writes happen server-side. Service-role credentials never reach the browser.
- Every administrative action is recorded in a per-organization audit log.
- API routes enforce authentication, rate limiting, and input caps to resist abuse.
- We do not log auth tokens or personal data in production.
AI & your data
- lrnit generates courses, assessments, and feedback by sending prompts to large language models. Those prompts can include your learner profile, your answers, and lesson context — that is what makes the content tailored to you.
- We never use your data to train models. All AI calls go through API providers (via the OpenRouter gateway, Google Cloud for speech and embeddings) whose API terms do not grant them the right to train on the data we send.
- AI calls run exclusively server-side. Provider keys never reach the browser, and prompts are not stored by us beyond the generated output saved to your account.
- Generated content belongs to your account (or your organization, for company courses).
Encryption & infrastructure
- All traffic is encrypted in transit with TLS 1.2+. Data is encrypted at rest by our database and hosting providers (AES-256).
- The application runs on Vercel; the database and authentication run on Supabase (managed Postgres).
- Error monitoring (Sentry) is configured to exclude auth tokens; we do not log credentials or personal data in production.
- Data-residency options for the Gulf region are available for qualified deployments.
Data retention & deletion
- Your Learner Graph (profile, courses, mastery history) is retained while your account is active — longitudinal memory is the product.
- You can export your full Learner Graph as JSON at any time from Settings ("Download my data").
- Deleting your account from Settings permanently removes your profile, courses, mastery records, and generated content. This is immediate and irreversible.
- Organization owners can delete their organization, which permanently removes all company data: members, invites, course templates, company documents, reports, and the audit log.
- Deleted rows age out of provider database backups automatically as backups rotate (at most 30 days).
lrnit is an early-stage product. We do not yet hold SOC 2, ISO 27001, or similar certifications, and we will not claim them until an independent auditor says so. This page describes the controls that are actually in place; if you need a deeper review for procurement, contact us and we will walk you through the architecture directly.