Back to Compliance PortalCompliance document
Technical Security White Paper
Architecture-level overview of VerbalCheck authentication, authorization, storage, LMS integration, and operational controls.
Status
Published white paper
Audience
IT directors, CIOs, CISOs, security reviewers, and implementation teams
Architecture overview
- Frontend and application server: Next.js deployed on Vercel.
- Database: PostgreSQL through Railway.
- Data access: Prisma ORM.
- Storage: private object storage paths for sensitive submissions and interview audio where configured.
- Integrations: LMS LTI 1.3 workflows, AI services, email, and optional speech or voice providers.
Authentication and authorization
- JWT sessions are stored in httpOnly cookies.
- Protected APIs enforce role checks and object-level authorization.
- Server-side session records support logout, deactivation, and role-change revocation.
- Admin and system actions should be constrained to least-privilege roles.
Application security controls
- Input validation is applied on key public and authentication endpoints.
- Rate limiting protects login, registration, and LTI entry points.
- Security headers include CSP, HSTS in production, Referrer Policy, and Permissions Policy.
- Logs should redact sensitive values and mask email addresses where practical.
LMS integration controls
- LTI launches validate issuer, audience, nonce, and signature.
- Outbound LMS requests enforce HTTPS and allowlist checks.
- Assignment linking and grade synchronization are scoped to the correct class, assignment, platform, and user context.