Foundation
Security overview
Security at OhoLingo is an ongoing discipline—not a certificate on a wall. We design the product with sensible defaults, minimize sensitive surface area, and rely on mature cloud providers so we can focus on teaching experiences that stay fast, private, and reliable for learners everywhere.
This Trust Center explains how we think about infrastructure, data, authentication, application protections, and vendor relationships. It is descriptive of our architecture and practices; it is not a legal agreement—please refer to our Privacy Policy and Terms of Service for contractual terms.
Security overview (PDF)
A downloadable PDF summary is planned. Until then, use this page and contact us for procurement packets.
Encryption in transit
Browser sessions use modern TLS. API traffic is encrypted between clients and our hosting and backend providers.
Defense in depth
Security is layered across hosting, application code, database policies, and operational practices—not a single toggle.
Session integrity
Authentication flows are designed around secure HTTP-only cookies and server-aware session handling where applicable.
Visibility
We monitor application health and errors to detect anomalies quickly and ship fixes responsibly.
Platform
Infrastructure security
The OhoLingo web application is hosted on Vercel, which provides a global content delivery network, automatic HTTPS, and edge protection features appropriate to modern web applications. This helps ensure low latency for learners, consistent TLS, and platform-level DDoS mitigation typical of leading edge networks.
We configure deployments to follow secure networking expectations: traffic is terminated with modern TLS versions and cipher practices suitable for production SaaS delivery. Internal administrative access follows least-privilege principles appropriate to a small, accountable team.
Diagram is illustrative. Actual deployment topologies may include staging environments, additional caching, and provider-specific controls not shown here.
Confidentiality & availability
Data protection
Encryption in transit: Connections to oholingo.com and related APIs use HTTPS so data moving between your browser and our services is protected with industry-standard transport encryption.
Encryption at rest: Stored application data benefits from encrypted storage primitives provided by our managed database and object storage vendors, reducing risk from physical media issues in provider data centers.
Database security: We model learner-owned data with Row Level Security–oriented patterns on Supabase so application roles cannot casually read other users’ progress without explicit authorization.
Backups & continuity: Our cloud providers include backup and redundancy features appropriate to managed Postgres. We aim for restore procedures proportional to a learning product—detailed enterprise recovery targets can be discussed for institutional customers.
Accounts
Authentication security
Authentication is powered by Supabase Auth with patterns aligned to server-side rendering: sessions are handled with secure, HTTP-only cookies where configured so tokens are not exposed to JavaScript unnecessarily.
Email verification: Account verification and sensitive changes use email confirmation flows to reduce takeover risk and keep recovery predictable.
Social login: Where OAuth providers are enabled, we delegate credential handling to those providers and receive scoped tokens suitable for linking an account—never your third-party password.
Session management: Sessions expire and rotate according to provider and application configuration. We avoid verbose client logging of session material in production builds.
MFA readiness: Additional authentication factors are part of our product roadmap for teams and institution administrators who require stronger assurance than passwords alone.
Product engineering
Application security
Input validation: User input is validated on the server wherever data crosses a trust boundary—lessons, profiles, and authoring flows reject malformed payloads before they touch persistence layers.
Rate limiting & abuse prevention: High-risk endpoints receive throttling and heuristics to deter automated abuse while keeping legitimate learners productive.
Secure headers: We adopt modern HTTP security headers (such as content type and frame protections) appropriate to Next.js deployments to reduce common web attack classes.
CSRF, XSS, and injection: Framework defaults, templating, and parameterized queries mitigate cross-site scripting, cross-site request forgery on cookie-authenticated operations, and SQL injection against our Postgres APIs.
Rights & transparency
Privacy & compliance
GDPR readiness: We design processes and documentation for European and global privacy expectations: lawful basis transparency, data minimization in product analytics, and clear channels for questions.
Cookie consent: Non-essential analytics and marketing scripts honor your choices via our cookie banner and consent APIs—see our Cookie Policy for categories.
Privacy controls: In-product settings and account tools evolve alongside the platform; refer to the Privacy Policy for the authoritative list of rights (such as access, correction, and deletion) and how to exercise them.
- GDPR-aware design
Privacy notices, consent flows, and configurable controls.
- Cookie consent
Non-essential scripts respect regional preferences.
- Data subject tools
Rights described in our Privacy Policy; workflows evolve with the product.
- Tenant isolation mindset
RLS-oriented data models for user-owned records.
- Account verification
Email confirmation for sensitive account changes where enabled.
- Vendor due diligence
Critical providers are chosen for operational maturity.
Operations
Monitoring & incident response
Monitoring & alerting: Production environments emit logs and metrics that help the team notice spikes in errors, unusual traffic, or availability regressions early.
Audit trails: Administrative and security-sensitive actions are logged where practicable so investigations can reference traceable evidence.
Incident response: When an incident is suspected or confirmed, we follow a contained workflow: assess impact, mitigate immediate risk, communicate to affected users when warranted, document root causes, and ship durable fixes. Enterprise customers may receive advance notice of material events as contractually agreed.
Ecosystem
Subprocessors & vendors
Like most SaaS products, OhoLingo depends on specialized vendors. We select providers with strong operational reputations and govern them through organizational review, least-privilege access, and contractual expectations where applicable.
| Vendor | Category | Purpose | Security notes |
|---|---|---|---|
| Vercel | Hosting & edge | Global application hosting, CDN, and edge delivery for the web app. | HTTPS termination at the edge; DDoS mitigation and network controls as provided by the platform. |
| Supabase | Backend & data | Authentication, Postgres database, storage, and server-side APIs where configured. | Designed for Row Level Security policies, encrypted connections, and managed infrastructure. |
| Analytics (if enabled) | Product analytics | Privacy-conscious measurement of usage to improve the product, subject to consent where required. | Loads only after consent where applicable; see /legal/cookies and your privacy controls in-product. |
| Email provider | Transactional email | Verification, password reset, and account-related notices. | Transport uses TLS; content is limited to operational messaging. |
| Payment processor | Billing | Card and subscription handling when billing features are enabled. | Sensitive card data is handled by the processor; OhoLingo receives tokens/references where applicable. |
Shared responsibility
Security best practices for users
- Use a unique password and a reputable password manager.
- Watch for phishing domains that mimic OhoLingo—we only communicate from verified domains you recognize.
- Keep your email inbox secured; password resets land there.
- Sign out on shared devices and avoid installing unknown browser extensions that read page content.
Coordinated disclosure
Responsible disclosure
If you believe you have found a security vulnerability, please tell us. We welcome good-faith research that avoids user harm, data destruction, or service disruption.
Include concise reproduction steps, affected components, and your assessment of impact. We aim to acknowledge valid reports and work toward remediation timelines proportional to severity.
Security inquiries
For vulnerability reports, procurement questionnaires, or institutional reviews—reach the team directly.
Common questions
Frequently asked questions
Where is OhoLingo hosted?
The web application is deployed on Vercel with a global edge network. Backend services such as authentication and the database are provided by Supabase and are configured for HTTPS and modern access controls.
Do you offer a SOC 2 or ISO 27001 report?
We do not publish third-party attestation reports on this page today. Enterprise customers evaluating OhoLingo for schools or institutions can contact us to discuss security practices and contractual protections appropriate to their review process.
How is data encrypted?
Traffic between your browser and our services uses industry-standard TLS in transit. Data at rest is protected by our cloud providers’ storage encryption. We design the product so sensitive flows do not rely on ad-hoc client-side secrets.
How does privacy and GDPR fit in?
We architect for privacy-conscious defaults: transparent notices, consent where required, and privacy settings described in our Privacy Policy. Rights such as access, rectification, and erasure depend on your jurisdiction and what we process—see the policy for how to exercise them.
How do I report a security vulnerability?
Use the security contact shown in the Responsible Disclosure section. Include steps to reproduce, impact, and, if possible, a non-destructive proof. We aim to acknowledge good-faith reports promptly.
Will multi-factor authentication (MFA) be available?
Strong authentication is on our roadmap. Today we use secure session handling and verified email flows; we will communicate when additional MFA options are available to learners and admins.
Talk to our team
Evaluating OhoLingo for a school, company, or university procurement process? We can share deeper security detail, data flows, and roadmap commitments under NDA where appropriate.