Security & Infrastructure Overview
Last updated: December 9, 2025
This page provides a high-level description of how The Scribe Academy handles hosting, authentication, data storage, and updates. It is intended for technical reviewers and school IT teams evaluating the prototype.
Hosting & Data Location
- Frontend is hosted on Firebase Hosting under the project
the-scribes-academy. - Application data is stored in Google Cloud Firestore in the default region configured for the project.
- Server-side logic runs as Google Cloud Functions in the
us-central1region.
Note: This is a prototype; exact regions and data residency guarantees should be confirmed against the active Firebase project configuration during procurement.
Authentication & Accounts
- Sign-in is handled by Firebase Authentication using Google Sign-In and optional guest access.
- Each authenticated user is associated with a unique Firebase Authentication UID.
- Per-user application state (credits, writing history, roles) is stored under a user-specific document path in Firestore.
Data Protection
- All traffic between browser and backend is encrypted in transit via HTTPS.
- Firestore security rules restrict access to user state based on the authenticated Firebase UID.
- No student essays or outlines are written to local files on the server; they remain in managed Firestore collections.
AI & Third-Party Services
- Writing feedback and text-to-speech features call Google Gemini APIs via Firebase Cloud Functions.
- Payment flows (when enabled) use Stripe Checkout and webhooks; card data is never handled by The Scribe Academy directly.
- Analytics is provided by Google Analytics / Firebase Analytics for usage metrics.
Updates & Change Management
- Code changes are deployed through a versioned build process (
npm run build/firebase deploy). - Each release is tagged with an application version (e.g.,
v0.12.99) surfaced in the UI. - Backups of key configuration and front-end assets are taken automatically before each deploy.
Policies & Future Hardening
The current build is a pilot-focused prototype. Formal policies (data retention, incident response, audit logging, and DPA language) are expected to be finalized as part of a production rollout with partner schools or districts.
- Data retention (planned): define time limits for storing student work and account metadata, with a clear process for deletion on request.
- Incident response (planned): document how security incidents will be detected, triaged, communicated to schools, and remediated.
- Agreements (planned): provide data protection addendum (DPA) language aligned with district and state requirements.