Back to Compliance Portal

Compliance document

Technical Security White Paper

Architecture-level overview of VerbalCheck authentication, authorization, storage, LMS integration, and operational controls.

Status

Published white paper

Effective date

June 2026

Audience

IT directors, CIOs, CISOs, security reviewers, and implementation teams

Architecture overview

  • Frontend and application server: Next.js deployed on Vercel.
  • Database: PostgreSQL through Railway.
  • Data access: Prisma ORM.
  • Storage: private object storage paths for sensitive submissions and interview audio where configured.
  • Integrations: LMS LTI 1.3 workflows, AI services, email, and optional speech or voice providers.

Authentication and authorization

  • JWT sessions are stored in httpOnly cookies.
  • Protected APIs enforce role checks and object-level authorization.
  • Server-side session records support logout, deactivation, and role-change revocation.
  • Admin and system actions should be constrained to least-privilege roles.

Application security controls

  • Input validation is applied on key public and authentication endpoints.
  • Rate limiting protects login, registration, and LTI entry points.
  • Security headers include CSP, HSTS in production, Referrer Policy, and Permissions Policy.
  • Logs should redact sensitive values and mask email addresses where practical.

LMS integration controls

  • LTI launches validate issuer, audience, nonce, and signature.
  • Outbound LMS requests enforce HTTPS and allowlist checks.
  • Assignment linking and grade synchronization are scoped to the correct class, assignment, platform, and user context.