Skip to content

Security

Last updated July 2026

Okula Haven hosts the public and staff-facing web presence of school districts. This page describes, plainly and without embellishment, how we protect that data and where our formal compliance work currently stands.

Tenant isolation and access control

Every district is a separate tenant. Data is isolated at the database level with row-level security (RLS) enforced on every table, so a request can only ever read or write rows belonging to the district it is authenticated for. The public, no-login district websites are served through a separate anonymous role whose access is restricted to published, public content only. Within a district, access follows role-based permissions (owner, admin, editor).

Data protection

  • All traffic is encrypted in transit over HTTPS/TLS.
  • Data is stored on a managed Postgres platform (Supabase) with encryption at rest and managed, monitored backups.
  • We follow least-privilege principles for administrative and service credentials, and secrets are kept out of source control.
  • Authentication is handled by our identity provider; passwords are never stored in application tables.

Compliance roadmap

We want to be candid about certifications rather than imply ones we do not hold. As of this writing, Okula Haven does notyet carry a completed SOC 2 report — a SOC 2 Type II examination is in progress, and we will update this page and share the report under NDA once it is available. We are happy to complete a district's security questionnaire and discuss our controls in detail as part of procurement.

Reporting a vulnerability

If you believe you have found a security vulnerability, please email security@okula.app with details and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. You can also reach us through the contact form.