Security

Tutorbase is a business-to-business platform used by tutoring centers, language schools, and similar organizations to manage their operations. Customer data held in the platform typically includes student and parent contact details, lesson schedules and attendance, invoices and payment records, and staff and teacher information.

This page summarises how we protect that data. It is written for the practical questions a procurement reviewer asks: where is data hosted, how is it encrypted, who has access, how do we respond to incidents, and which compliance frameworks we participate in or do not. For full legal terms, see our Privacy Policy and Data Processing Addendum.

Tutorbase runs on managed cloud infrastructure. The full list of sub-processors, their purpose, and their processing region is published at tutorbase.com/sub-processors.

• Web tier: Hosted on Vercel (United States, with global edge delivery). Vercel maintains a SOC 2 Type II attestation and ISO 27001 certification.
• Backend and worker tier: Hosted on Railway (United States). Application servers, background workers, and the Procrastinate job queue run on this tier.
• Primary database: Hosted on Supabase (United States). The Postgres database stores customer-controlled records and application state. Supabase maintains a SOC 2 Type II attestation.
• Authentication: Handled by Clerk (United States). Passwords are stored and verified by Clerk; Tutorbase never sees raw credentials. Clerk maintains a SOC 2 Type II attestation.

3.1 Customer access

• Sign-in is delegated to Clerk, which supports passwordless email codes and OAuth providers.
• Each subscriber organization is a separate tenant. Customer data is logically isolated at the application and database layers; one organization cannot read or modify another's data.
• Role-based access control inside an organization separates administrator, teacher, and other roles, and restricts staff-only routes from teacher accounts.

3.2 Personnel access

• Personnel access to production systems follows the principle of least privilege.
• Multi-factor authentication is required for personnel access to all production systems and provider consoles.
• Administrative access to production is logged and monitored centrally.

• In transit: All connections to Tutorbase are served over HTTPS using TLS 1.2 or higher. Internal traffic between Tutorbase services uses transport encryption provided by the underlying cloud infrastructure.
• At rest: The primary Postgres database is encrypted at rest using the encryption controls provided by Supabase. Backups inherit the same encryption.
• Payment data: Tutorbase does not store payment card numbers. Card handling is delegated to Stripe and tokenized at the browser via Stripe Elements or Stripe Checkout, which keeps card data outside the Tutorbase payment-card-industry (PCI) scope.

• Backup cadence: The primary database is backed up automatically by Supabase on a rolling schedule.
• Retention window: Backups are retained for up to 30 days. After 30 days they are overwritten in the ordinary course of business.
• Recovery commitment: Tutorbase maintains operational procedures to restore service from the most recent healthy backup in the event of catastrophic data loss. Recovery time and recovery point objectives are managed in line with industry norms for managed Postgres deployments.

6.1 Reporting a vulnerability

If you have identified a security vulnerability in Tutorbase, please email security@tutorbase.com with a description of the issue, the steps to reproduce, and the impact you observed. We acknowledge legitimate reports within two business days and work with reporters to verify and remediate the issue. We do not currently offer a paid bug bounty.

6.2 Incident response

Tutorbase maintains a documented incident response procedure covering detection, triage, containment, eradication, recovery, and post-incident review.

6.3 Breach notification

Tutorbase commits to notifying subscribers of personal data breaches affecting their data within 72 hours of becoming aware of a notifiable breach, in line with GDPR Article 33 and the Data Processing Addendum at tutorbase.com/dpa.

Tutorbase publishes the following documents to support customer compliance and procurement diligence:

• Privacy Policy — what we collect, why, retention periods, your rights.
• Data Processing Addendum — incorporates the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum.
• Sub-Processors — the current third-party vendor list with purpose, data categories, and region.

Tutorbase has appointed an EU representative under GDPR Article 27. Contact details are listed in the Privacy Policy.

Tutorbase's infrastructure runs on providers with independent SOC 2 Type II attestation, including Vercel (web), Supabase (database), Clerk (authentication), and Stripe (payments). We add company-level attestations as our customer profile grows; if your procurement requires a specific framework, contact security@tutorbase.com and we'll walk you through where we are and what's planned.

For security concerns, including suspected vulnerabilities and abuse reports, contact security@tutorbase.com. Please include:

• A description of the issue and the impact you observed
• Steps to reproduce, where applicable
• Any logs, screenshots, or supporting artefacts
• Your preferred contact channel and how you would like to be credited if the issue is fixed

For privacy concerns and data-subject requests, please contact privacy@tutorbase.com instead. See the Privacy Policy for the full process.