IncluShift Enterprise
Trust & Security Center
IncluBridge is built on a zero-PII architecture with AES-256 encryption, designed to meet the security requirements of school districts processing sensitive special education data.
Family Educational Rights and Privacy Act
Zero-PII architecture. UUID-only identification. Messages stored device-locally. Export uses sanitizeForExport() to strip all identifying data.
Children's Online Privacy Protection Act (Amended Jan 2025)
Written data retention policy. Written information security program. No analytics, cookies, third-party scripts, or ads. Compliance deadline: April 22, 2026.
Health Insurance Portability and Accountability Act
AES-256-GCM encryption at rest. TLS 1.3 in transit. Behavioral and cognitive data encrypted before transmission via crypto telemetry middleware.
Digital Accessibility Rule (April 2024)
Targets WCAG 2.2 Level AAA. 48px minimum touch targets. High contrast mode. Font scaling 100-150%. Screen reader support. Reduce motion toggle.
Security Architecture
Zero-PII Communication Architecture
- ✓All message content stored exclusively on the user's device
- ✓UUID-only identification — no names, dates of birth, or student IDs collected
- ✓District linking via anonymous share codes, not email or phone exchange
- ✓AI jargon translation strips all PII before processing via stripPII()
- ✓Stripped text uses generic tokens: [STUDENT], [SCHOOL], [DATE], [TEACHER]
- ✓Tokens re-mapped to original values device-locally after AI processing
AES-256-GCM Encryption at Rest
- ✓All sensitive data encrypted using AES-256-GCM (NIST SP 800-38D)
- ✓Encryption keys stored in hardware security modules (iOS Keychain / Android Keystore)
- ✓PBKDF2 key derivation with 600,000 iterations (OWASP 2023 guidance)
- ✓Per-session ephemeral keys for transport encryption
- ✓Key rotation support with dual-key re-encryption window
Cryptographic Transport Layer
- ✓All payloads pass through stripPII() → AES-256-GCM encrypt → HTTPS pipeline
- ✓Raw student data never touches API endpoints in plaintext
- ✓Secure envelope format with version tracking for forward compatibility
- ✓Token maps stored device-locally — never transmitted to servers
Input Validation & Injection Defense
- ✓Zod schema validation with .strip() on all incoming data
- ✓SQL injection pattern detection and rejection
- ✓NoSQL operator blocking (MongoDB $gt, $regex, $where, etc.)
- ✓XSS prevention: script tag stripping, event handler removal
- ✓HTML injection blocking for iframe, object, embed, form elements
- ✓2000-character message limit with server-side enforcement
Mobile Endpoint Security
- ✓Hardware-encrypted secure storage for authentication tokens
- ✓App state obfuscation: blur overlay when backgrounded prevents screenshot capture
- ✓Biometric/PIN re-authentication after 5 minutes of inactivity
- ✓SSL certificate pinning scaffold for MITM attack prevention on school Wi-Fi
Web Perimeter Defense
- ✓IP-based rate limiting: 5 auth requests/minute, 20 LLM requests/minute per IP
- ✓Strict Content Security Policy allowing only trusted script sources
- ✓HSTS with 2-year max-age, includeSubDomains, and preload
- ✓X-Frame-Options: DENY — complete clickjacking prevention
- ✓Permissions-Policy: camera, microphone, geolocation, payment all disabled
Research Foundation
Our security architecture is informed by peer-reviewed research in EdTech privacy and cybersecurity:
Zeide (2019) — Role-Based Access Control mandates for educational data governance
Southgate et al. (2019) — Differential privacy and PII-stripping before AI/LLM transmission
Haque et al. (2021) — AES-256 encryption at rest and TLS 1.3 in transit for EdTech platforms
SAMHSA (2014) — Trauma-informed design principles applied to communication interfaces
OWASP Top 10 (2021) — Injection prevention via strict schema validation
Security Questionnaire & Audit Requests
We welcome security reviews from district IT and compliance teams. For vendor security questionnaires, penetration test reports, or SOC-2 audit documentation, contact our security team.
security@inclushift.com