Security Practices

1. Encryption & Data Protection

Data in Transit

All communication between your browser and Classroom Captures is encrypted using HTTPS with TLS. This applies to every page, API endpoint, and file transfer across the platform—including the photographer portal, school portal, parent portal, and all administrative interfaces.

Data at Rest

Sensitive credentials and configuration data are encrypted using AES-256-GCM (Galois/Counter Mode), an authenticated encryption standard that provides both confidentiality and integrity verification. This means encrypted data cannot be tampered with without detection.

Encrypted fields include SmugMug API credentials, OAuth tokens, and other third-party service secrets stored on behalf of photographers. Encryption keys are stored separately from encrypted data and are never committed to version control.

Cloud Credential Storage

For automated workflows such as gallery creation, photographer credentials are additionally stored in AWS Secrets Manager, which provides hardware-backed encryption, automatic key rotation capabilities, and fine-grained access controls through IAM policies.

2. Authentication & Access Control

Password Security

All passwords are hashed using Argon2id, the winner of the Password Hashing Competition and the current recommendation for secure password storage. Argon2id is specifically designed to be resistant to both GPU-based cracking and side-channel attacks. Our configuration uses 64 MB of memory and multiple iterations to make brute-force attacks impractical.

Passwords must meet strict complexity requirements: a minimum of 12 characters including uppercase letters, lowercase letters, numbers, and special characters. The platform automatically detects when hashing parameters have been updated and transparently rehashes passwords on next login.

Brute-Force Protection

Login endpoints are protected by rate limiting. After a configurable number of failed attempts (default: 5), the account is temporarily locked for a cooldown period (default: 15 minutes). Rate limits are tracked per IP address and apply to all login portals—photographer, school, parent, and administrator.

Session Security

Sessions are configured with security best practices:

• HttpOnly cookies — session tokens cannot be accessed by client-side JavaScript, preventing cross-site scripting (XSS) theft
• Secure flag — cookies are only transmitted over HTTPS in production
• SameSite policy — prevents cross-site request forgery by restricting cookie transmission to same-site requests
• Strict mode — uninitialized session IDs are rejected
• Automatic regeneration — session IDs are regenerated periodically (every 30 minutes) to limit the window for session hijacking
• Configurable lifetime — sessions expire after a set period of inactivity

Role-Based Access

The platform enforces strict separation between user roles. Photographers can only access their own districts, schools, and student data. Schools can only view and manage students within their assigned scope. Parents can only access gallery links provided to them. Site administrators have a separate authentication system with independent credentials.

3. Cross-Site Request Forgery (CSRF) Protection

All state-changing operations (form submissions, data modifications, account changes) are protected by CSRF tokens. Each user session generates a unique, cryptographically random token that must be included with every request. Tokens are verified using constant-time comparison to prevent timing attacks.

4. Input Validation & Sanitization

All user input is sanitized before processing. The platform strips HTML tags, trims whitespace, and encodes special characters to prevent cross-site scripting (XSS) and injection attacks. Email addresses are validated against RFC standards. File uploads are restricted to allowed image types with configurable size limits.

5. Infrastructure Security

Hosting

Classroom Captures runs on Amazon Web Services (AWS), leveraging AWS’s world-class physical security, compliance certifications (SOC 1/2/3, ISO 27001, FedRAMP), and global infrastructure. The application server is hosted on AWS Lightsail with managed firewall rules and automatic backups.

Photo Storage & Transfer

Student photos are uploaded directly to Amazon S3 using pre-signed URLs. This means photos travel directly from the photographer’s browser to AWS—they never pass through our application server. Pre-signed URLs are short-lived (default: 15 minutes) and are scoped to specific files and operations, minimizing exposure.

Background Processing

Automated tasks like gallery creation use AWS Lambda and SQS FIFO queues for reliable, ordered processing. These services run in isolated environments with least-privilege IAM roles, meaning each component can only access the specific resources it needs.

Environment Configuration

All secrets, API keys, database credentials, and encryption keys are stored in environment variables loaded from .env files that are excluded from version control. Production credentials are never stored in source code.

6. Audit Logging & Monitoring

The platform maintains a comprehensive activity log for FERPA compliance and security monitoring. Every significant action is recorded, including:

• Login attempts (successful and failed), including IP address and user agent
• Account changes (password updates, profile modifications, credential configuration)
• Data access events (viewing student records, accessing galleries)
• Data modifications (student imports, roster changes, district/school creation and deletion)
• Administrative actions (account management, billing changes)

Audit logs capture the user type, user ID, action performed, relevant details, IP address, and timestamp. If database logging fails, events are written to server error logs as a fallback to ensure no activity goes unrecorded.

7. FERPA & Student Privacy Compliance

Classroom Captures is designed with the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA) at its core:

• Purpose limitation — Student data is used solely for school photography services. We never use student data for advertising, marketing, or profiling.
• No data sales — We do not sell, rent, or trade student information to any third party.
• Minimal collection — We collect only the student information necessary to deliver photo services: names, grade levels, teacher assignments, and school enrollment.
• School control — Schools retain control over what data is shared with photographers. Parents can request access, correction, or deletion through their school.
• Data retention limits — Student data is retained only as long as needed. Upon account termination, associated data is deleted within 90 days.
• No direct child collection — We do not collect personal information directly from children. All student data is provided by schools or photographers.
• Data Processing Agreements — We provide DPA templates for schools and photographers to formalize data handling responsibilities.

8. Third-Party Service Security

SmugMug

Gallery hosting and photo purchases are handled through SmugMug, which maintains its own security practices and privacy policy. Authentication with SmugMug uses OAuth 1.0a, an industry-standard protocol that allows Classroom Captures to act on behalf of photographers without ever storing their SmugMug passwords.

Stripe

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Classroom Captures never stores, processes, or has access to full credit card numbers. Subscription management uses Stripe’s secure webhook system with signature verification.

AWS Services

Cloud infrastructure (S3, Lambda, SQS, DynamoDB, Secrets Manager) is governed by AWS’s shared responsibility model. We configure all services following AWS security best practices, including least-privilege IAM policies, encryption in transit and at rest, and VPC isolation where applicable.

9. Secure Development Practices

• Separate environments — Development and production use separate databases and configurations. Code is tested in a staging environment before deployment.
• Version control — All code is managed through Git with a review workflow. Sensitive files are excluded via .gitignore.
• Database migrations — Schema changes are managed through versioned migration files, tested in development before applying to production.
• Dependency management — Third-party libraries and SDKs are kept current to incorporate security patches.
• Error handling — Production error messages never expose internal system details, database structures, or file paths to end users.

10. Data Deletion & Account Termination

Photographers can delete student data, school records, and district information at any time through their dashboard. When a photographer’s account is terminated, all associated student data is permanently deleted within 90 days. Schools can request a complete data export or deletion of all records by contacting their photographer or Classroom Captures directly.