Homora
Homora
Get started
Trust

Security

Last updated: May 9, 2026

Your homeschool records — grades, attendance, journal entries, your kids' work — are sensitive. This page describes the controls we have in place. We try to be specific rather than reach for buzzwords.

Where your data lives

Homora is hosted on Vercel and uses Supabase for the database, file storage, and authentication. Both are SOC 2 Type II audited providers. The Supabase Postgres database is encrypted at rest using AES-256. All connections from your browser to the portal use TLS 1.2+ — credentials and student work never travel unencrypted.

Workspace isolation

Each parent-teacher gets a fully isolated workspace. We enforce this in two layers:

  • Application scoping. Every server-side data read goes through readTeacherScopedData(), which derives the workspace from the authenticated session and only returns rows that belong to it.
  • Postgres row-level security. Supabase RLS policies enforce the same boundary at the database level, so a bug in the application layer cannot accidentally expose another family's data.

AI assistant

The AI assistant uses OpenRouter to call language models. When the assistant drafts a proposal, the relevant context (the student name, the assignment in front of you, anything you pasted in) is sent to the model and a draft response comes back. We do not include other students' data in those calls, and we do not use student work to train models. Conversation history is stored under your workspace and is not accessible to other workspaces.

Crucially: the assistant never writes to your portal directly. Every change it proposes goes through an explicit approval click on your end. If you don't click apply, nothing changes.

Authentication

  • Sessions are tracked in HTTP-only cookies; the access token is never exposed to client JavaScript.
  • Simultaneous logins from different devices are detected via heartbeat checks; the older session is signed out so you can't accidentally leave a portal open on a shared computer.
  • Password resets and email-confirmation links go through Supabase Auth and expire after a short window.

Backups & recovery

The Supabase database is backed up daily with point-in-time recovery available. You can also export your own data at any time from the Compliance page (CSV, XLSX, PDF, JSON) — we recommend running a year-end export and storing it locally as your own backup.

What we don't do

  • We don't sell or share data with advertisers.
  • We don't use third-party analytics or tracking pixels on the portal itself.
  • We don't train AI models on your students' work.

Reporting a vulnerability

If you find a security issue, please email security@homora.school with details and steps to reproduce. We'll respond within two business days. Please don't publicly disclose until we've had a chance to fix it.