Legal

Security Statement

Effective July 10, 2026 · Operated by HUSH

HUSH is built with security as a core requirement, not an afterthought. This document is a plain-English summary of the technical controls we rely on.

Infrastructure

  • Hosted on a modern edge platform with automatic TLS on all endpoints.
  • Database hosted on a managed Postgres service with encryption at rest.
  • Daily automated backups retained for 7 days; longer for institutional plans on request.

Access control

  • Passwords are hashed by the authentication service using industry-standard algorithms — never stored in plaintext.
  • Row-level security policies enforce that a teacher can only read and write their own data at the database level.
  • Privileged server operations require both authentication and role checks.
  • Optional Google sign-in for accounts that prefer SSO over passwords.

Payments

All payment processing is handled by Stripe. HUSH never sees or stores full card numbers. Card details are submitted directly to Stripe from the checkout page.

AI processing

Prompts sent to AI providers do not include student names or emails. We contractually restrict providers from training on our data.

Application security

  • Server-side input validation on state-changing endpoints.
  • Server-side authorization checks — we do not rely on hiding UI elements.
  • Content Security Policy and standard security headers on all responses.
  • Dependencies scanned regularly; critical vulnerabilities patched within 7 days.

Monitoring and response

  • Server errors and unusual authentication activity are logged.
  • We investigate credible reports of security issues within one business day.

Reporting a vulnerability

Please email hush.org@outlook.com with details and reproduction steps. We do not currently offer a paid bounty, but we credit reporters on request. Please give us a reasonable window to remediate before public disclosure.

Institutional agreements

A data-processing addendum, subprocessor list, and additional documentation are available for institution and department plans. Contact us at hush.org@outlook.com.

Questions about this document?

Reach us at hush.org@outlook.com — or use our department contact form.