How we keep your papers safe.

Infrastructure

SmarTest runs on managed cloud infrastructure designed for production SaaS workloads. We do not operate our own servers.

• [*]Application layer on Vercel, edge-delivered, auto-scaling, WAF-protected.HTTP/2 and HTTP/3, HSTS preload, strict CSP.
• [*]Database on Google Cloud Firestore (EU multi-region), with workspace-scoped authorisation on every query.No shared tenant schema; every read and write is gated by the authenticated user's uid and admin flags.
• [*]Secrets stored in managed secret stores, never committed to source control.Rotated every 90 days or on personnel change, whichever is sooner.
• [*]Error reporting via Sentry (EU), with PII scrubbing on ingress, planned for post-beta.Not yet active. Today errors are captured in managed Vercel runtime logs.
• [*]Transactional email via Resend, with SPF, DKIM, and DMARC on smartestmaths.ie, planned for post-beta.Not yet active. Contact and ticket submissions in beta are queued in Firestore for operator review.

Access and identity

For users

Accounts are provisioned by the SmarTest admin and handed to the school: there is no public signup. Sign-in is email and password, with the password stored only as a salted hash by Firebase Auth. Sessions last 14 days and can be revoked by the SmarTest admin at any time. Single sign-on (SAML and Google Workspace) is planned for the Department tier.

For staff

• Every team member has an individual account with multi-factor authentication enforced.
• Production access is restricted to named engineers via short-lived, audited credentials.
• Customer data access requires a written justification (support ticket or incident record) and is logged.
• We do not grant standing access to customer content to anyone, including founders.

Incident response

We maintain a written incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. On any incident that may affect customer data we commit to:

• Notifying affected account administrators within 72 hours of confirmed impact.
• Notifying the Data Protection Commission in accordance with GDPR Article 33 where required.
• Publishing a post-incident report on the status page within 10 working days.

Subscribe to status.smartestmaths.ie for live service status and maintenance notices.

For schools and departments

Procurement teams typically ask for the following. We can provide each on request at security@smartestmaths.ie.

• [*]Signed Data Processing Addendum, available at legal/dpa.
• [*]List of sub-processors, kept current at privacy, section 5.
• [*]Data residency statement and SCCs for non-EU sub-processors.
• [*]Annual penetration test summary, for Department tier customers on request.
• [*]Standard security questionnaire (SIG, CAIQ-lite) completed within 10 working days.

Responsible disclosure

If you think you have found a security issue, please tell us before telling anyone else. We will respond within one working day, confirm receipt, and keep you posted while we fix it.

We do not currently run a paid bounty programme, but we publicly credit researchers who report valid issues in our changelog. Do not run automated scanners against production; reach out and we will set up a test environment.