# Privacy & Security Whitepaper

**Building Code Academy** | Enterprise Security Overview
**Document Version:** 1.0 | **Date:** February 2026
**Classification:** Public

---

## Executive Summary

Building Code Academy (BCA) provides an online learning platform for ICC certification exam preparation and continuing education. This whitepaper details our security architecture, data protection measures, and compliance posture for enterprise procurement teams evaluating BCA as a SaaS vendor.

## Authentication & Identity

### Authentication Methods

| Method | Status | Details |
|--------|--------|---------|
| Email/Password | Available | Supabase Auth with bcrypt hashing |
| SAML 2.0 SSO | Available | Microsoft Entra ID, Okta, Google Workspace, OneLogin |
| SSO Enforcement | Available | Org admins can disable password login for their domain |
| MFA | Supported | Via Supabase Auth (TOTP) |

### SAML 2.0 SSO

- Just-in-Time (JIT) user provisioning
- IdP attribute mapping to BCA roles
- SSO-only enforcement per organization
- Supports metadata URL and manual XML configuration
- Test connection validation before activation

### Session Management

- Secure HTTP-only cookies (production)
- 24-hour CSRF token rotation
- Server-side session validation on every request
- Automatic session refresh via Supabase Auth

## Authorization Model

### Row-Level Security (RLS)

BCA uses PostgreSQL Row-Level Security for data isolation:

- **User isolation:** Users can only query their own data (progress, bookmarks, certifications)
- **Organization isolation:** B2B tenants are isolated at the database level
- **Role-based access:** Organization members have role-based permissions (owner, admin, member)

### API Authorization

- All API routes verify authentication via Supabase session
- Organization endpoints verify membership and role before processing
- Admin endpoints restricted to owner/admin roles
- Service role key used only for server-side operations (never exposed to clients)

## Encryption

### Data in Transit

- **TLS 1.2+** enforced on all connections
- **HSTS** with `max-age=63072000; includeSubDomains`
- **Certificate transparency** monitoring via Vercel

### Data at Rest

- **AES-256** encryption at the database level (AWS/Supabase)
- **Encrypted backups** with automated daily snapshots
- **Point-in-time recovery** available for disaster recovery

## Network Security

### Security Headers

```
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-XSS-Protection: 1; mode=block
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: [configured for application needs]
Cross-Origin-Opener-Policy: same-origin
Strict-Transport-Security: max-age=63072000; includeSubDomains
```

### API Protection

- **CSRF Protection:** Double-submit token with HMAC validation and constant-time comparison
- **Rate Limiting:** Upstash Redis-backed per-IP rate limiting
  - Authentication endpoints: 5 requests/minute
  - Email endpoints: 3 requests/minute
  - General API: 30 requests/minute
- **Input Validation:** Zod schema validation on all request bodies and query parameters

## Infrastructure

### Hosting Architecture

```
User → Vercel Edge CDN → Next.js Server Functions → Supabase (PostgreSQL)
                                                  → Stripe (Payments)
                                                  → Resend (Email)
```

### Service Providers

All infrastructure providers maintain SOC 2 Type II certification:

| Provider | Function | Certifications |
|----------|----------|---------------|
| Vercel | Application hosting | SOC 2 Type II |
| Supabase/AWS | Database & Auth | SOC 2 Type II |
| Stripe | Payments | SOC 2 Type II, PCI DSS Level 1 |
| Upstash | Rate limiting | SOC 2 Type II |
| Resend | Email | SOC 2 Type II |
| Sentry | Error monitoring | SOC 2 Type II |

### Data Residency

- All data stored in **US-East-1 (Virginia)**
- No cross-border data transfers for PII
- Edge caching limited to static assets (no PII)

## Application Security

### Secure Development Practices

- **Code Review:** All changes reviewed before merging
- **Dependency Auditing:** Regular npm audit and dependency updates
- **TypeScript:** Full type safety across the application
- **Environment Variables:** Secrets never committed to source code
- **Error Handling:** Sentry for monitoring with PII scrubbing

### OWASP Top 10 Mitigations

| Risk | Mitigation |
|------|-----------|
| Injection | Parameterized queries via Supabase client |
| Broken Authentication | Supabase Auth with session management |
| Sensitive Data Exposure | TLS 1.2+, AES-256 at rest, no PII in logs |
| XML External Entities | Not applicable (JSON API) |
| Broken Access Control | Row-Level Security, role-based API checks |
| Security Misconfiguration | Strict CSP, security headers, minimal permissions |
| Cross-Site Scripting | React auto-escaping, CSP headers |
| Insecure Deserialization | Zod schema validation on all inputs |
| Using Components with Known Vulnerabilities | Regular dependency updates |
| Insufficient Logging | Sentry error tracking, timestamp audit columns |

## Multi-Tenant Architecture

### Organization Data Model

```
Organization
├── Members (role-based: owner, admin, member)
├── SSO Configuration (SAML 2.0)
├── Subscription (Stripe)
├── Assignments (exam & course)
└── Reports & Analytics
```

### Tenant Isolation

- PostgreSQL Row-Level Security enforces data boundaries
- Each organization has a unique ID used as the partition key
- Cross-tenant data access is impossible at the database level
- API routes verify organization membership before processing

## Compliance Status

| Standard | Status |
|----------|--------|
| SOC 2 Type I | Readiness phase (audit planned Q3 2026) |
| SOC 2 Type II | Planned Q1 2027 |
| WCAG 2.1 AA / Section 508 | Conformant |
| GDPR | Aware (EU data not processed) |
| PCI DSS | Handled by Stripe (Level 1) |
| Data Residency (US) | Compliant |

## Incident Response

1. **Detection:** Automated monitoring via Sentry
2. **Triage:** Security team notified within 1 hour
3. **Containment:** Immediate isolation of affected systems
4. **Notification:** Customer notification within 72 hours
5. **Remediation:** Root cause analysis and fix deployment
6. **Post-mortem:** Documented and shared with affected parties

## Contact

| Purpose | Contact |
|---------|---------|
| Security concerns | security@buildingcodeacademy.org |
| Procurement inquiries | enterprise@buildingcodeacademy.org |
| Accessibility | accessibility@buildingcodeacademy.org |
| Privacy & DPA | privacy@buildingcodeacademy.org |

---

*This whitepaper is reviewed and updated quarterly. Last updated February 2026.*