Trust & Security

How Reedap protects your credentials

This page is maintained by the Reedap team to answer common security, privacy, and data-handling questions about the Reedap platform. It describes controls that are currently enabled in the app — it is not an independent certification or audit.

Access & authentication

  • Email/password and Google sign-in are supported for issuers, administrators, and learners.
  • Sessions are managed by our backend auth provider with rotating refresh tokens.
  • Role-based access (administrator, issuer, learner) is enforced server-side, not in the browser.
  • Tenants are isolated: members of one institution cannot read or modify data belonging to another.

Data handling

  • Credential records, exam attempts, and certificates are stored in a managed Postgres database with row-level security policies on every user-facing table.
  • Uploaded exam materials are stored in a private storage bucket and served via short-lived signed URLs.
  • Exam attempts become immutable once submitted — answers and scores cannot be edited after submission.
  • Certificate hashes are anchored to the BSC blockchain so anyone can independently verify authenticity using the certificate ID.

Encryption in transit

All traffic between your browser and Reedap is served over HTTPS/TLS. Backend services communicate with the database and storage layer over encrypted connections provided by our hosting platform.

Privacy & retention

  • We collect the minimum data needed to issue and verify credentials: name, email, role, tenant membership, and exam activity.
  • Learners can view their own profile, attempts, and certificates. They cannot see other learners' data.
  • Public verification (/verify) shows only fields necessary to confirm a credential — issuer, course, recipient name, issue date, and on-chain reference.
  • To request deletion of your account or a correction to a credential, contact us at the address below.

Shared responsibility

Reedap is built on Lovable Cloud, which provides managed hosting, database, auth, and storage. Reedap is responsible for application-level policies, role logic, and the accuracy of credentials issued through the platform. Issuing institutions are responsible for the academic decisions behind each credential they sign. Recipients are responsible for protecting their own login credentials.

Nothing on this page should be read as a Lovable-issued certification or an independent attestation.

Security contact

To report a suspected vulnerability or security concern, email security@reedap.com. Please include steps to reproduce the issue and refrain from public disclosure until we have had a reasonable opportunity to investigate and respond.

Last updated June 2026. This page is editable project content maintained by the Reedap team.