Skip to content
Studeia Docs

Security & LGPD model: isolation, encryption, data rights

Studeia's security model: tenant isolation, AES-256-GCM secrets, HMAC-signed OAuth state, private submission buckets, admin audit log, and LGPD data export/deletion (Art. 18).

2026-05-31 7 min
Resposta curta

Studeia's security model layers tenant isolation (tenantId on every B2B query + Supabase RLS), AES-256-GCM encryption for secrets and OAuth tokens, HMAC-SHA256-signed OAuth state, private buckets for submissions, server-side HTML sanitization and an admin audit log. For privacy it ships LGPD data export (Art. 18 IV, 1/24h) and account deletion (Art. 18 VI) that anonymizes PII while retaining learning data for fiscal compliance, plus public /privacy and /terms pages.

Tenant isolation

  • Every B2B query filters by tenantId; Supabase Row Level Security policies enforce isolation at the database.
  • Per-tenant API keys, video/avatar provider credentials and OAuth tokens are encrypted at rest with AES-256-GCM.
  • Support impersonation uses a short-lived (1h) HMAC-signed httpOnly cookie and is an in-memory overlay — Supabase auth is never modified. Every impersonation start/stop is audited.

Secrets & OAuth

  • OAuth state is HMAC-SHA256 signed (OAUTH_STATE_SECRET) with a Redis nonce (anti-replay, TTL 15min) on every connect and validated against the session on every callback.
  • Shared-media link passwords are stored as salt:hash via scrypt, with rate limiting on attempts.

Uploads & content safety

  • Upload storageUrl must start with the Supabase public storage prefix, otherwise it is rejected with 422.
  • Assignment submissions live in a private bucket with a validated prefix ({tenantId}/{courseId}/{lessonId}/{userId}/); downloads use signed, short-lived URLs with ownership checks.
  • HTML from users/LLMs is sanitized server-side (DOMPurify) before any dangerouslySetInnerHTML, including HTML served to the mobile app.
  • Input is validated with Zod on POST/PATCH routes; SSRF prevention blocks private IPv4/IPv6 and metadata endpoints.

Moderation

An AI chat supervisor classifies tutor turns (severity + category) in the background and can warn or quarantine; self-harm signals trigger a non-punitive safety flow with crisis resources and an urgent admin notification.

LGPD / privacy

  • Export (Art. 18 IV): GET /api/user/data-export returns all user data as JSON, rate-limited to 1 request per 24h (Redis cooldown).
  • Deletion (Art. 18 VI): DELETE /api/user/account anonymizes PII and deletes conversational data, but retains learning data (grades, completions, quiz attempts) for ~5 years of fiscal retention (Art. 16 I).
  • Public /privacy and /terms pages are accessible without authentication.
  • Observability via Sentry uses Replay with masked text and blocked media for LGPD.

Audit

Sensitive admin actions (impersonation, plan/config changes, manual payments, role changes) are recorded in an immutable admin audit log with IP and user-agent.

See also

FAQ

How does Studeia isolate data between institutions?

Every B2B query filters by tenantId, enforced in the data layer and reinforced by Supabase RLS policies. Per-tenant API keys, video/avatar provider credentials and OAuth tokens are encrypted at rest with AES-256-GCM. Impersonation for support is short-lived (1h, HMAC-signed cookie) and never modifies Supabase auth.

Can a user export or delete their data (LGPD)?

Yes. GET /api/user/data-export returns all of a user's data as JSON (rate-limited to 1 request / 24h). DELETE /api/user/account anonymizes PII (email, name) and deletes conversational data, while retaining learning data (grades, completions, quiz attempts) for ~5 years of fiscal retention under LGPD Art. 16.

Are uploads and OAuth flows hardened?

Yes. Upload storageUrl must start with the Supabase public storage prefix or it is rejected (422); assignment submissions go to a private bucket with a validated path prefix and signed short-lived download URLs. OAuth state is HMAC-SHA256 signed with a Redis anti-replay nonce on every connect/callback. LLM-bound HTML is sanitized server-side before any dangerouslySetInnerHTML.

Veja tambem

Security & LGPD model: isolation, encryption, data rights