We take the security and privacy of student data, teacher credentials, and school information seriously. Here's how we protect everything.
Checkmate is fully compliant with the Children's Online Privacy Protection Act (COPPA). We collect only the minimum data necessary for educational purposes. Student accounts are created through teacher-issued class codes — never independently. We do not collect personal information from children under 13 without verifiable parental or school consent, and we never sell, share, or use student data for advertising or marketing purposes.
256-bit TLS
Encrypted in Transit
Bcrypt Hashed
Passwords & Credentials
Encrypted at Rest
Database & Tokens
Role-Based Access
Strict Permissions
We only collect what's needed: name, date of birth, and email. No social media profiles, no tracking cookies, no behavioral analytics. Student data is used exclusively for educational purposes.
Student passwords are hashed using bcrypt with unique salts. Even we can't see them. The original password is irreversibly transformed — it can only be verified, never retrieved.
Every request is verified server-side. Students can only access their own submissions, grades, and assignments. They cannot view other students' work or personal information.
Students can only join a class with a teacher-issued code. There's no open registration — teachers control exactly who enters their classroom.
Teacher and admin sessions use cryptographically random tokens stored in HTTP-only, secure cookies. Sessions can't be accessed by JavaScript, can't be stolen via XSS attacks, and are only sent over HTTPS in production. Sessions automatically expire and are invalidated on logout.
Every user has a specific role that determines exactly what they can access. Permissions are enforced on the server — not the browser.
Org Owner
Full org control
Org Admin
Admin access
Dept. Head
Department level
Teacher
Class management
TA
Assist teachers
Student
Own data only
Each school's data is completely isolated. Teachers can only access their own classes. Organization admins can only see their own organization. Even Checkmate platform administrators cannot access private organization data — your school stays in your control.
Checkmate uses OAuth 2.0 to connect to PowerSchool. Teachers log in to PowerSchool directly — their credentials are never sent to or stored by Checkmate. We only receive a limited-scope access token.
OAuth access and refresh tokens are stored encrypted in the database. They cannot be read without the encryption key. Teachers can revoke access at any time.
The integration only requests the minimum permissions needed to release grades. It cannot modify student records, change schedules, or access data beyond what's necessary.
The OAuth flow includes a state parameter that prevents cross-site request forgery attacks. Redirect URIs are strictly validated.
All communication with PowerSchool goes through an encrypted API gateway. Traffic is encrypted both ways using TLS. No direct browser-to-PowerSchool communication.
Secure and HttpOnly.We use Prisma ORM with parameterized queries. User input is never concatenated into SQL statements, making SQL injection attacks impossible.
AI-powered features are rate-limited to prevent abuse. Requests are tracked per-user with sliding window throttling. Excessive requests are queued gracefully rather than rejected.
Every authentication event, permission change, and administrative action is logged with timestamps, user IDs, and IP addresses. Logs are searchable and retained for compliance purposes.
Database credentials, API keys, and OAuth secrets are stored as environment variables — never hardcoded. The application runs in isolated Docker containers with minimal attack surface.
Students cannot create accounts independently. They must use a teacher-issued class code, ensuring school consent is in place before any data is collected.
We only collect information necessary for the educational service: name, date of birth, and email. No photos, locations, social profiles, or unnecessary personal details.
Student data is never used for advertising, marketing, or profiling. There are no third-party ad trackers, no behavioral targeting, and no data sales — ever.
Under COPPA's school exception, schools can consent on behalf of parents for educational services. Teachers and administrators control student account creation and data access.
Schools and parents can request deletion of a student's personal information at any time. We will promptly remove all associated data from our systems.
All student data is encrypted in transit and at rest. Access is restricted by role-based permissions. We maintain comprehensive audit logs for accountability.
Secure sessions, bcrypt passwords, HTTP-only cookies, automatic expiration
Role-based access, data isolation, server-side enforcement, audit logs
COPPA compliant, data minimization, no ads, school-controlled consent
We're happy to answer any questions about how we protect your school's data.
Get Started