Compliance portal

Security and privacy information for institutional review

This portal collects VerbalCheck security, data handling, legal compliance, technical control, governance, and SOC 2 roadmap information for schools, districts, colleges, and universities evaluating the platform.

Published documents

These are the currently published legal and vendor artifacts. The document cards below link to additional compliance pages for institutional review.

Certification status

VerbalCheck is not currently SOC 2 certified. The roadmap section states the intended path toward SOC 2 Type I and Type II readiness as the business matures.

1. Security Overview

A practical trust summary for institutional review

Audience

Leadership, principals, department heads, and institutional buyers

VerbalCheck is designed for academic environments where student submissions, interview responses, instructor review, and LMS-connected workflows must be handled with care.

Role-based student, instructor, admin, and system access paths
Object-level authorization for protected academic records
Private handling paths for sensitive submissions and interview audio
Security reports accepted at security@verbalcheck.com

Documents and artifacts

2. Data Handling

Where data lives, how it is protected, and how long it is kept

Audience

IT directors, compliance officers, privacy reviewers, and procurement teams

VerbalCheck documents the categories of data it processes and applies retention, deletion, and access controls appropriate for student academic records.

Application hosting: Vercel
Database hosting: Railway PostgreSQL
Sensitive files and audio: private storage paths where configured
Default retention targets can be adjusted by institutional requirements and contractual terms

Documents and artifacts

4. Technical Security

Controls IT teams can evaluate

Audience

IT directors, CIOs, CISOs, security reviewers, and implementation teams

VerbalCheck uses layered application, session, authorization, storage, and integration controls to protect student and institutional data.

JWT sessions stored in httpOnly cookies with server-side session revocation
API route role checks and object-level authorization on protected records
HTTPS delivery with CSP, HSTS in production, Referrer Policy, and Permissions Policy
LTI launches validate issuer, audience, nonce, signature, and outbound LMS allowlists

Documents and artifacts

5. Governance & Operations

Operational practices for institutional accountability

Audience

Institutional buyers, IT operations, compliance officers, and vendor management teams

VerbalCheck publishes the operational information institutions need to understand vendor oversight, incident handling, and continuity expectations.

Security vulnerability reports are reviewed through a dedicated security contact
Subprocessors are listed publicly and categorized by purpose and status
Incident, continuity, and escalation practices are being formalized for institutional review
Vendor review questions can be routed through VerbalCheck support and security contacts

Documents and artifacts

6. SOC 2 Roadmap

Transparent path toward third-party assurance

Audience

CIOs, CISOs, procurement teams, and compliance officers

VerbalCheck is not currently SOC 2 certified. The roadmap below states the intended direction without presenting an audit as complete.

SOC 2 Type I is the intended first third-party audit milestone once operational maturity supports it
SOC 2 Type II is the intended follow-on milestone after controls operate over a sustained review period
Current work focuses on documented access controls, incident response, vendor oversight, encryption practices, and operational evidence
Formal audit timing will be based on institutional demand, operational scale, and business maturity

Documents and artifacts

SOC 2 intention statement

Roadmap wording for procurement and IT teams

VerbalCheck is not currently SOC 2 certified. As our institutional customer base grows and our business matures, we intend to pursue SOC 2 Type I and SOC 2 Type II examinations.

In the meantime, we are aligning internal security, privacy, availability, and confidentiality practices with principles commonly evaluated under the SOC 2 Trust Services Criteria. This includes documented access controls, data handling policies, incident response procedures, vendor oversight, encryption practices, and operational security reviews.

Our goal is to establish a practical compliance foundation now, then move toward formal third-party audit readiness as customer demand, operational scale, and infrastructure maturity warrant it.

Access control and least privilege
Change management and preview validation
Incident response and vulnerability intake
Vendor and subprocessor oversight
Data retention, deletion, and privacy workflows
Monitoring, logging, and operational review

Vendor review support

Need a questionnaire completed?

Institutional security and procurement teams can use this portal as the starting point. For additional review questions, contact VerbalCheck support or route security matters to security@verbalcheck.com.