Security & privacy

Built so your students stay anonymous

LessonLens analyses what happens in your classroom without ever storing — or showing — who said it. Here's how the safeguards work, end to end.

Principles

Four promises, not a checklist.

Redaction before storage

Student names are stripped from every transcript before it touches our database. Both intake paths — pasted transcripts and AssemblyAI webhooks — call the same redaction step, and it's fail-closed: if redaction errors, we discard the transcript rather than store an unredacted copy.

Transcripts are never displayed

The recording detail page has no transcript view. The redacted copy exists for AI analysis only, so even an authorised mentor or HoD never sees the words your students said — just the AITSL evidence drawn from them.

Tiered access by role

Mentors only see lessons that have been explicitly shared with them, and only while an active mentorship exists. Heads of department see aggregated activity across their team — never individual transcripts or comments.

Australian hosting

Our database, storage and edge functions run in Australian regions. Audio files transit AssemblyAI for transcription, then transcripts are redacted on our infrastructure before being stored.

Technical details

For the people who read the small print.

Authentication: Supabase Auth with email + password (primary), plus optional Google and Microsoft SSO. Sign-in errors are deliberately generic to prevent account enumeration.
Authorisation: Row-level security on every table. Mentor and HoD access is gated by SECURITY DEFINER helpers (has_active_mentorship, same_school_as) so policy logic lives in one place.
Encryption: TLS 1.2+ for all traffic. Data at rest is encrypted by the underlying managed database and object store providers.
AI processing: Transcripts are sent to Anthropic (Claude) only after redaction. Career-stage and focus filters narrow the rubric server-side before any prompt is built.
Open-redirect protection: The /auth/callback handler validates the next parameter against same-origin relative paths only, so a poisoned magic link can't bounce you to a third-party domain.
Outcome validation: NSW K–10 outcome codes returned by the model are post-validated against the seeded catalogue. Hallucinated codes are dropped, never persisted.

In flight

Pre-pilot work in progress.

We're transparent about what's still being hardened before wider rollout.

Migrating Supabase auth emails to a dedicated SMTP provider (Resend / SendGrid) so transactional mail doesn't share infrastructure with platform notifications.
Independent verification of every AITSL descriptor against aitsl.edu.au and NSW K–10 outcomes against curriculum.nsw.edu.au.
Rotating long-lived AssemblyAI and Anthropic API keys onto per-environment scoped credentials.

Have a security question that isn't answered here? Check the FAQ or reach out via your pilot contact.