Security packet

Built for school IT + procurement reviewers. The summary below is the same content we send when a district asks for our security packet. Request the detailed PDF (DPA, SOC summary, network diagram, sub-processor list) and we will email it within one business day.

Posture

Single-tenant Postgres on Supabase, row-scoped by school_id on every query. better-auth (Apple + Google) for identity. Audit log on every leader-side mutation. /ops/posture renders red/yellow/green on every critical secret + dangerous flag.

Data minimization

No demographic flags, no protected-class fields. Equity dashboard uses grade + membership only. File uploads restricted to PDF + image; no Office macros, no ZIP.

Storage

Supabase Postgres (US-East). Supabase Storage for files + receipts (5-minute signed URLs only). Daily backups, point-in-time recovery to within 5 minutes.

Hosting

Vercel Fluid Compute (Node.js 24 LTS). Production origin pinned to trywendel.com regardless of env override. Same-school authorization enforced server-side, not just at the UI.

Auth

Apple Sign In + Google OAuth. iOS uses ASWebAuthenticationSession + PKCE. Co-leader invites are short-lived signed JWTs (14d) with IP capture + audit. Identity QR rotates every minute and is rate-limited to 20/60s per student.

Retention

Nightly cron purges push tokens (180d inactive), QR nonces (30d post-expiry), audit logs (7y), announcement read state (365d), rejected reimbursements (180d). Retention windows are hardcoded in code — not env-configurable — so a deploy can't extend retention past the public policy.

What you get when you request the packet

  • · Data Processing Agreement (DPA) template
  • · FERPA + state-level compliance overview
  • · Sub-processor list with purposes
  • · Network + data-flow diagram
  • · Incident response playbook
  • · SSO + rostering roadmap
  • · Penetration test summary (when available)
  • · Access control + audit log schema
Public retention policy →Per-category retention windows, mirrored from the nightly cron.Sub-processor list →Current list with purposes + locations.Trust Center →All policies in one place.FERPA alignment →How Wendel maps to school-records law.

Request the detailed packet

Tell us a little about your school. We will email the DPA, sub-processor list, and the full security packet PDF within one business day.

We only use this to follow up. No newsletter, no third-party sharing.