Security Information

1. Our Security Commitment

At PlayQuizNow, security is a top priority. We implement industry-standard security measures to protect your data and ensure a safe learning environment for students and educators. This document outlines our security practices and compliance efforts.

2. Data Encryption

2.1 Data in Transit

• All data transmitted between users and our servers is encrypted using TLS 1.2 or higher
• HTTPS is enforced across all endpoints
• WebSocket connections for real-time quiz features use secure WSS protocol
• API communications are encrypted end-to-end

2.2 Data at Rest

• Database encryption using AES-256 encryption
• Encrypted backups stored in secure, geographically distributed locations
• Sensitive credentials and API keys stored in encrypted vaults

3. Authentication & Access Control

• Secure authentication via OAuth 2.0 (Google Sign-In)
• JWT tokens with short expiration times for session management
• Role-based access control (RBAC) for different user types
• LTI 1.3 integration with secure key exchange for LMS platforms
• Rate limiting to prevent brute force attacks
• Automatic session timeout after periods of inactivity

4. Infrastructure Security

• Cloud infrastructure hosted on enterprise-grade platforms with SOC 2 compliance
• Network segmentation and firewalls to isolate sensitive components
• Regular security patches and updates applied promptly
• DDoS protection and mitigation
• Automated monitoring and alerting for suspicious activities
• Regular penetration testing and vulnerability assessments

5. Educational Privacy Compliance

5.1 FERPA Compliance

PlayQuizNow supports educational institutions in maintaining FERPA compliance:

• Student education records are protected and only accessible to authorized parties
• We act as a "school official" under FERPA when processing student data on behalf of institutions
• Data is used solely for educational purposes as directed by the institution
• Parents and eligible students can request access to their records

5.2 COPPA Compliance

For users under 13 years of age:

• Parental consent is obtained through the educational institution
• Minimal data collection - only what's necessary for educational purposes
• No behavioral advertising or tracking of children
• Parents can review and request deletion of their child's data

6. Data Handling Practices

• Data minimization - we only collect data necessary for the service
• Clear data retention policies with automatic deletion of inactive accounts
• Secure data deletion procedures when accounts are closed
• No selling or sharing of personal data with third parties for advertising
• Regular data access audits

7. Incident Response

In the event of a security incident:

• Immediate containment and investigation procedures
• Notification to affected users and institutions within 72 hours
• Full incident documentation and post-mortem analysis
• Remediation steps to prevent future occurrences

8. Third-Party Security

We carefully vet all third-party services and require them to meet our security standards:

• Payment processing through PCI-DSS compliant providers (Stripe)
• Cloud hosting on SOC 2 certified infrastructure
• Regular security reviews of third-party integrations

9. Security Contact

To report security vulnerabilities or ask security-related questions: