BETA PROGRAM NOTICE This document applies to the Kompunik Beta Program, a free, invitation-only research pilot operated by Joss Gillet (Founder of Kompunik). This is an experimental prototype with no service guarantee.

Security Overview

Effective Date: January 1, 2026

Last Updated: January 1, 2026

At Kompunik, the security of your data and the integrity of our platform are fundamental to everything we build. This document provides an overview of the technical and organizational security measures we have implemented to protect our users, their data, and the learning experience.

1. Authentication and Access Control

We employ a multi-layered authentication system to ensure that only authorized users can access the platform and its features.

1.1 Authentication Framework

Auth.js v5 with JWT (JSON Web Token) strategy provides secure, stateless authentication
Email and password authentication with bcrypt password hashing
Single Sign-On (SSO) via Google Workspace and Microsoft Entra ID for organization users, using industry-standard OAuth 2.0 / OpenID Connect protocols
Session tokens are stored in secure, HttpOnly, SameSite cookies to prevent cross-site attacks

1.2 Multi-Factor Authentication (MFA)

Email OTP (One-Time Password): Enabled by default for all personal account users. A time-limited verification code is sent to your registered email address during sign-in.
TOTP (Time-based One-Time Password): Optional authenticator app support (e.g., Google Authenticator, Authy) for stronger security, with backup recovery codes
Organization MFA policy: Organization administrators can require MFA for all users in their organization and configure which MFA methods are allowed

1.3 Role-Based Access Control

Four distinct roles with graduated permissions: Learner, Manager, Organization Administrator, and Super Administrator
Route-level access enforcement in middleware ensures users can only access pages and features appropriate to their role
API endpoint protection with role verification on every server action

1.4 Session Management

JWT tokens with configurable expiration and refresh logic
Secure cookie attributes (HttpOnly, Secure, SameSite=Lax) to prevent session hijacking and CSRF attacks
Rate limiting on authentication endpoints to prevent brute-force attacks (5 attempts per 15 minutes per email)

2. Data Encryption

All data is encrypted both in transit and at rest to protect against unauthorized access.

2.1 Encryption in Transit

TLS 1.2 or higher is enforced on all connections between users and the platform
HTTPS is mandatory; HTTP connections are automatically redirected
HTTP Strict Transport Security (HSTS) headers are set to prevent protocol downgrade attacks

2.2 Encryption at Rest

AES-256 encryption for all data stored in MongoDB Atlas
Encrypted automated backups managed by MongoDB Atlas infrastructure
Media content in DigitalOcean Spaces is encrypted at rest using server-side encryption

2.3 Signed URLs for Media Content

Audio tracks, videos, images, and certificates are delivered through time-limited signed URLs with one (1) hour expiry
Signed URLs are generated server-side and cannot be shared or reused after expiration
Hotlink protection validates request origin and referrer headers

3. Privacy and Data Handling

Privacy is embedded in the design of the platform, not treated as an afterthought.

3.1 GDPR Alignment

Full compliance with the General Data Protection Regulation (GDPR) for all EU data subjects
Data processing is based on clear legal grounds: contract performance, legitimate interest, and explicit consent
Users can exercise their data rights (access, rectification, erasure, portability) at any time

3.2 Privacy by Default

User profiles are private by default -- no personal information is visible to other users unless explicitly enabled
Public profiles, share cards, and community visibility are opt-in features
Privacy-preserving 404 responses for non-existent or private profiles (no user enumeration)

3.3 Consent-Based Data Sharing

Community features (posts, comments, circles, challenges) require active participation
Peer comparison features require explicit opt-in by both the organization and the user
Avatar and profile visibility settings are granular and user-controlled

3.4 No Third-Party Tracking

No third-party analytics services (no Google Analytics, Mixpanel, or similar)
No advertising cookies or cross-site tracking technologies
No data sales to advertisers, data brokers, or any third parties
All analytics are computed internally from our own database using anonymized, aggregated data

3.5 Right to Deletion

Users can request complete account deletion
Account data is purged within 30 days of deletion request
Financial records are retained for 7 years as required by French law

4. Infrastructure and Hosting

Our infrastructure is designed for reliability, security, and data protection.

4.1 Database

MongoDB Atlas cloud-hosted database with automated backups, point-in-time recovery, and cluster-level encryption
SOC 2 Type II certified infrastructure
Database access restricted to application service accounts with least-privilege permissions

4.2 Content Storage

DigitalOcean Spaces (S3-compatible object storage) for media files, certificates, and uploaded assets
Server-side encryption at rest
Access controlled through signed URLs with time-limited expiration

4.3 Application Hosting

Next.js application with Node.js runtime
Environment variable isolation ensures secrets are never exposed to client-side code
Build-time and runtime separation of server and client code

4.4 Automated Backups

Database backups are automated and encrypted by MongoDB Atlas
Point-in-time recovery capability for disaster recovery
Media content stored redundantly in DigitalOcean Spaces with built-in replication

5. Application Security

The application is built with security-first development practices across all layers.

5.1 Input Validation

All user inputs are validated on the server side before processing
Strict type checking with TypeScript across the entire codebase
File uploads are validated for type, size, and content (including SVG sanitization to strip malicious scripts)

5.2 Content Sanitization

User-generated content (community posts, comments) is rendered as plain text using React's built-in XSS protection
Blog content (admin-created) is sanitized using sanitize-html with a strict allowlist of safe HTML tags
SVG uploads are processed through a dedicated sanitizer that removes scripts, event handlers, and foreign objects

5.3 Database Security

Parameterized queries only -- all MongoDB queries use parameterized filters, completely eliminating injection vulnerabilities
No use of $where, eval(), or any dynamic query construction
Database operations are encapsulated in dedicated data access layer functions

5.4 Rate Limiting

Rate limiting is enforced on all sensitive endpoints:
- Sign-in: 5 attempts per 15 minutes per email
- Sign-up: 5 attempts per hour per email
- Password reset: 3 attempts per 15 minutes
- API endpoints: configurable per-route limits
- AI-assisted features: per-user daily budgets
Rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) inform clients of their remaining allowance

5.5 Security Headers

Content Security Policy (CSP): Restricts script, style, image, and connection sources to trusted origins
X-Content-Type-Options: nosniff to prevent MIME type confusion
X-Frame-Options: SAMEORIGIN to prevent clickjacking
Referrer-Policy: strict-origin-when-cross-origin to limit referrer leakage
Permissions-Policy: Restricts access to sensitive browser APIs

5.6 CSRF Protection

Server actions have built-in CSRF protection through Next.js framework mechanisms
SameSite=Lax cookie attribute prevents cross-site request forgery
API routes are protected by authentication and role verification

6. Organization Tenant Isolation

Organizations on the platform operate in isolated environments to prevent data leakage between tenants.

6.1 Data Isolation

All database queries for organization data include the organization identifier as a mandatory filter
Users can only access data belonging to their own organization
Cross-organization data access is prevented at the database query level

6.2 Access Control

Role gates in middleware enforce that users can only access routes appropriate to their organization and role
Organization administrators can only manage users and settings within their own organization
Manager visibility is scoped to their assigned teams (managers see only their team's learners)

6.3 Branding Isolation

Organization branding (logos, display names) is scoped per-organization
Custom branding does not affect other organizations or the global platform experience
Uploaded branding assets are stored in organization-specific paths

6.4 Community Isolation

Organization community spaces are completely separate from the global community
Posts, circles, challenges, and practice rooms created in an organization space are visible only to members of that organization
Organization community features can be enabled or disabled by the organization administrator

6.5 Contract and Seat Management

Contract terms and seat allocations are managed per-organization
Seat assignments are validated against contract limits with atomic database operations to prevent over-allocation
Seat changes trigger appropriate access modifications (grace periods, enrollment updates)

7. Content Moderation

Community content is moderated through a comprehensive six-layer pipeline to maintain a safe and respectful environment.

7.1 Moderation Pipeline

Rate limiting: Prevents rapid-fire posting and spam
HTML sanitization: Strips any HTML markup and potential XSS vectors from user input
Text normalization: Normalizes text to detect evasion techniques (homoglyphs, l33t speak, zero-width characters)
Blocklist matching: Checks content against language-specific blocklists of prohibited terms
AI classification: Content is analyzed by the OpenAI Moderation API for hate speech, violence, harassment, and other harmful content categories
Human review: Flagged content is routed to the admin moderation queue for manual review

7.2 Automated Flagging

Content that triggers blocklist or AI classification thresholds is automatically held for review
Users receive clear feedback when their content requires modifications

7.3 Reporting and Review

All users can report content or behavior through structured reporting with predefined reason categories
Reports are tracked and escalated when multiple reports are received for the same content
Administrators have access to a dedicated moderation queue with filtering and action tools

7.4 Fail-Open Design

If the AI moderation service is temporarily unavailable, content is allowed through to prevent service disruption
Automated moderation is supplemented by community reporting to catch any content that bypasses automated checks

8. Payment Security

Financial transactions are handled with the highest standards of security through our partnership with Stripe.

8.1 PCI-DSS Compliance

All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified (the highest level of payment security certification)
Kompunik never receives, processes, or stores credit card numbers, CVVs, or full payment card details on its servers
Payment card data is entered directly into Stripe's secure payment elements

8.2 Webhook Security

Stripe webhook events are verified using cryptographic signature validation before processing
Event ID deduplication prevents duplicate processing of the same payment event
Webhook endpoint is rate-limited to prevent abuse

8.3 Idempotent Processing

Payment activation is idempotent -- processing the same event multiple times produces the same result without duplicate charges or activations
Transaction records provide a complete audit trail of all payment activities

9. Compliance and Standards

9.1 Current Compliance

GDPR alignment for all EU data subjects, including documented legal bases, data subject rights, and data processing agreements with sub-processors
48-hour incident response target for security incidents -- we commit to investigating and beginning remediation within 48 hours of incident detection
Regular internal security reviews of code, dependencies, and infrastructure configuration
Dependency auditing through automated vulnerability scanning of third-party packages

9.2 Transparency Notes

We believe in being transparent about our current security posture and our roadmap for improvement:

SOC 2 and ISO 27001 certifications are planned for a future phase as the organization scales
Rate limiting currently uses in-memory storage (suitable for single-instance deployments); migration to Redis-based distributed rate limiting is planned for multi-instance production environments
Security testing is currently performed through internal reviews; engagement of an external penetration testing firm is planned
Audit logging infrastructure is under development to provide comprehensive activity trails for compliance and forensic purposes

10. Responsible Disclosure

If you discover a security vulnerability in the Kompunik platform, we encourage you to report it responsibly.

10.1 How to Report

Please send vulnerability reports to compliance@kompunik.org with:

A detailed description of the vulnerability
Steps to reproduce the issue
The potential impact of the vulnerability
Any suggested remediation, if applicable

10.2 Our Commitment

We will acknowledge receipt of your report within 48 hours
We will investigate and provide an initial assessment within 5 business days
We will keep you informed of our progress in addressing the vulnerability
We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices

10.3 Scope

This responsible disclosure policy covers the Kompunik web application and its associated APIs. Third-party services (Stripe, MongoDB Atlas, DigitalOcean) have their own security reporting channels.

11. Contact Us

If you have questions about our security practices or want to report a security concern, please contact us at:

Joss Gillet (Founder of Kompunik) Avignon, France

Security inquiries and vulnerability reports: compliance@kompunik.org
Privacy inquiries: compliance@kompunik.org
General support: contact@kompunik.org

This Security Overview is effective as of January 1, 2026.

Beta-Specific Terms

Experimental Nature

This platform is an experimental prototype. Features may change, be removed, or malfunction without notice. No guarantee of availability, uptime, or performance is provided.

Data Handling

Data collected during the beta may be deleted at the end of the beta period. While we take reasonable care to protect your data, no guarantees are made regarding data persistence or backup.

Feedback Usage

Any feedback, suggestions, or ideas you provide during the beta may be used to improve the product without compensation or attribution.

No Financial Compensation

Participation in the beta is voluntary and unpaid. No financial compensation, credits, or refunds are applicable.

Limitation of Liability

Joss Gillet (Founder of Kompunik) shall not be liable for any direct, indirect, incidental, or consequential damages arising from your use of this beta platform. Use is entirely at your own risk.

Confidentiality (Optional)

You may encounter features or content that are not yet publicly available. While not legally binding, we kindly ask that you treat unreleased features with discretion.

No Commercial Relationship

This beta does not constitute a commercial service, contract, or subscription. No invoices will be issued, and no service-level agreements apply.

Security and Data Protection