Security at Chalk

Sensitive material is encrypted at rest and in transit.

• AES-256-GCM at rest for credentials, OAuth tokens, SAML keypairs, and OIDC JWKs.
• TLS 1.2+ for all data in transit, with HSTS enabled on the hosted service (preload submission in progress).
• Master-key rotation supported without service downtime.

Each district runs in its own logical environment.

• Per-tenant Postgres schema with row-level enforcement on shared metadata.
• Per-tenant scheduler with noisy-neighbor protection on sync jobs.
• Tenant identifiers carried through every audit-log entry.

Chalk can be your district's identity provider.

• Self-hosted SAML 2.0 IDP with auto-generated keypairs and metadata endpoint.
• OIDC federation for downstream applications.
• Argon2id password hashing with per-tenant tunable cost.
• Configurable session timeout, absolute lifetime, and idle expiry.

Security-relevant events are recorded and searchable.

• Successful and failed login attempts, including source IP and user agent.
• Password changes, badge generation and revocation, and admin actions.
• Tenant provisioning, role changes, and master-key rotations.
• Searchable by user, IP, event type, and time range.

Defense in depth at the application layer.

• CSRF tokens on every state-changing request.
• Strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
• Subresource Integrity on CDN-loaded scripts.
• HSTS with preload, plus secure and HttpOnly cookies.

Our commitments on what we will never do with student data.

• We never sell student data.
• We never use student data for advertising or profiling.
• We never train AI models on student data.

Where we are and what is on the roadmap.

• FERPA: Chalk operates as a school official with a legitimate educational interest.
• COPPA-aware: districts retain school authorization for under-13 processing.
• SOC 2 Type II: on the roadmap, not yet obtained.
• State student-privacy laws: DPA template aligned with common requirements.