Back to Home
Everymathia

Data Protection & Security

Last updated: March 27, 2026

At Everymathia, we take the security of your personal data seriously. This page describes the technical and organisational measures we have in place to protect your information. For details about what data we collect and how we use it, please see our Privacy Policy.

1. Encryption

1.1 Data in Transit

All communication between your browser and our servers is encrypted using TLS (Transport Layer Security) via HTTPS. We enforce HTTPS across the entire platform and automatically upgrade insecure requests.

1.2 Data at Rest

  • Passwords — Never stored in plain text. All passwords are hashed using bcrypt with configurable salt rounds before storage. We cannot see or recover your password.
  • Session tokens — Generated using cryptographically secure random bytes (32-byte hex strings).
  • Email verification and password reset tokens — Generated using the same cryptographically secure method and expire automatically (24 hours and 1 hour respectively).

2. Authentication & Session Security

  • Password requirements — Minimum 12 characters with mandatory uppercase, lowercase, number, and special character. Maximum 64 characters.
  • Session cookies — Configured with httpOnly (no JavaScript access), secure (HTTPS only in production), and SameSite=Strict (prevents cross-site transmission).
  • Session expiry — Sessions expire after 24 hours and are destroyed on logout.
  • Session ID generation — Uses cryptographically random 32-byte hex strings, not predictable or sequential.
  • Email verification — Required within 24 hours of registration to activate your account.

3. Cross-Site Request Forgery (CSRF) Protection

We use origin-based CSRF protection that validates the Origin and Referer headers on all state-changing requests (POST, PUT, DELETE). Combined with SameSite=Strict cookies, this prevents malicious websites from making requests on your behalf.

4. Content Security Policy (CSP)

We enforce a strict Content Security Policy via HTTP headers that controls which resources the browser is allowed to load:

  • Scripts — Only from our own domain and Stripe (for payment processing)
  • Styles — Only from our own domain and Google Fonts
  • Fonts — Only from our own domain and Google Fonts
  • Connections — Only to our own domain, Stripe API, and Anthropic API (for content generation)
  • Frames — No iframe embedding allowed; our site cannot be framed by other sites
  • Objects/plugins — Completely blocked

5. Input Validation & Sanitisation

  • XSS prevention — All user input is validated and sanitised. Study notes are processed through a strict HTML sanitiser that strips all HTML tags. User names are HTML-escaped on storage.
  • NoSQL injection prevention — Input is filtered to remove database query operators and null bytes. All database identifiers are validated against expected formats.
  • Email normalisation — Email addresses are normalised to lowercase and validated for format.
  • Length limits — All text fields have enforced maximum lengths (e.g., study notes: 10,000 characters, contact form messages: 5,000 characters).

6. Rate Limiting

We enforce rate limits across all sensitive endpoints to prevent brute-force attacks and abuse:

  • Login attempts: 10 per 15 minutes
  • Account registration: 10 per hour
  • Password reset and email verification: 5 per hour
  • Quiz submissions: 30 per minute
  • Study note creation: 20 per minute
  • Data exports: 10 per 15 minutes

Exceeding these limits results in temporary access restrictions. For the full list, see our Terms of Service.

7. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Credit card numbers, CVVs, and billing addresses never touch our servers. Stripe webhook signatures are verified using raw request bodies to prevent tampering. See Stripe's Privacy Policy.

8. AI Content Generation Security

We use Anthropic's Claude AI to generate educational content. Your personal data is never sent to Anthropic. Only educational content prompts (course topics, chapter descriptions) are transmitted. All generated content is stored on our servers before being served to you. See Anthropic's Privacy Policy.

9. Administrative Security

  • Role-based access control — Administrative functions are restricted to authorised admin accounts only.
  • Audit trail — All administrative actions (content approval, user management, configuration changes) are logged with the admin's identity, action performed, IP address, and timestamp. Audit logs are retained for 90 days.
  • File upload validation — Administrative file uploads are validated by MIME type, file extension, and magic byte signature. Only approved file types are accepted, with strict size limits.

10. Error Handling & Information Disclosure

In production, our application returns generic error messages only. Detailed error information, stack traces, and internal system details are never exposed to users. All errors are logged internally with sensitive fields (passwords, tokens, session IDs, emails) automatically redacted from log output.

11. Data Retention & Deletion

We follow a strict data retention policy:

  • Account data — Retained until you request deletion
  • Quiz attempt history — Automatically deleted after 1 year
  • Administrative audit logs — Automatically deleted after 90 days
  • Sessions — Expire after 24 hours
  • Verification tokens — Expire after 24 hours
  • Password reset tokens — Expire after 1 hour

When you delete your account, we perform a cascade deletion that removes your profile, study notes, quiz attempts, active Stripe subscription, and all sessions. See our Privacy Policy for full details.

12. Data Breach Response

In the event of a data breach affecting your personal information:

  • We will notify affected users via email within 72 hours of discovery
  • We will notify relevant authorities as required by applicable law
  • Our notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommended actions you can take to protect yourself

13. Infrastructure Security

  • Reverse proxy — Our application sits behind an Nginx reverse proxy that handles TLS termination and adds an additional security layer.
  • CORS policy — Cross-origin requests are restricted to explicitly allowed origins (our frontend and landing domains only). Credentials are only accepted from trusted origins.
  • Request size limits — Request bodies are limited to 10 MB to prevent denial-of-service via oversized payloads.
  • Response compression — Enabled to reduce data exposure during transit and improve performance.

14. Your Role in Security

You can help protect your account by:

  • Choosing a strong, unique password (at least 12 characters with mixed case, numbers, and symbols)
  • Not sharing your account credentials with anyone
  • Logging out when using shared devices
  • Verifying your email address promptly after registration
  • Contacting us immediately if you suspect unauthorised access to your account

Contact Us

If you have questions about our security practices or want to report a security concern, please contact us:

Email: privacy@everymathia.com

Address: Everymathia Learning Platform