Classfolio

Security & Infrastructure

Security & Infrastructure

How Classfolio protects school, teacher and student data.

For IT Managers, Network Managers, and technical procurement teams evaluating Classfolio.

Security enquiriesGDPR & Data Protection

Authentication

Identity and authentication

Classfolio uses Firebase Authentication — Google's managed identity service — to handle all sign-in. Authentication is provided through Microsoft and Google identity providers. Classfolio does not manage user passwords directly.

All users — teachers, students, and administrators — sign in using an existing Microsoft or Google account. No separate Classfolio password is created or stored.

Google sign-in

Google OAuth via Firebase Authentication. Users sign in with their existing Google account. Schools using Google Workspace for Education benefit from school-managed identity with no additional setup.

Microsoft sign-in

Microsoft OAuth via Firebase Authentication. Users sign in with their existing Microsoft account. Schools using Microsoft 365 for Education benefit from school-managed identity with no additional setup.

No passwords managed

Classfolio does not issue, store, or reset user passwords. Credential management is handled by Microsoft or Google, reducing phishing exposure, credential-stuffing risk, and password support burden.

Account approval workflow

New teacher accounts require admin approval before they can access the platform. Suspended accounts are blocked at authentication.

Access Controls

Role-based access controls

Access to all data in Classfolio is enforced at the database level using Firestore security rules — not just at the application layer. Each request is evaluated against the authenticated user's role and ownership before data is returned.

Teacher

  • Create and manage own classes
  • Create lessons, assessments, assignments
  • Access own students' results and work
  • Access shared lessons from colleagues
  • Cannot access other teachers' private classes

Student

  • View own assessment results
  • Submit own assignment responses
  • Access own revision materials
  • Cannot read other students' data
  • Cannot modify marking or feedback fields

Admin

  • View all teacher accounts
  • Approve or suspend accounts
  • Access platform audit logs
  • View AI usage statistics
  • Cannot access lesson content or student work

Database-level enforcement

Classfolio uses Cloud Firestore security rules — over 1,100 lines of enforced access logic — to validate every database read and write. A student request for another student's assessment results is rejected at the database layer, not just hidden in the user interface.

Network Security

Transport and browser security

All traffic between users and Classfolio is served over HTTPS, enforced by Firebase Hosting. Security headers are configured on every response to reduce common browser-based attack surfaces.

HTTPS / TLS

Enforced

All connections are encrypted in transit. HTTP requests are automatically redirected to HTTPS by Firebase Hosting.

X-Frame-Options

SAMEORIGIN

Prevents Classfolio pages from being embedded in iframes on third-party sites, protecting against clickjacking attacks.

X-Content-Type-Options

nosniff

Prevents browsers from MIME-type sniffing responses — reduces risk of content injection attacks.

Referrer-Policy

strict-origin-when-cross-origin

Limits referrer information shared when navigating to external sites, reducing data leakage.

Permissions-Policy

camera=(), microphone=(), geolocation=()

Explicitly blocks access to device camera, microphone and location for all Classfolio pages.

Static asset caching

1 year (immutable)

Static files are served with long cache lifetimes and content-addressed filenames to ensure browser cache integrity.

API authentication

Firebase Auth tokens

All API calls from the browser are authenticated using short-lived Firebase ID tokens, not long-lived API keys.

Rate limiting

Per user, per feature

AI calls are rate-limited per user per feature with per-minute burst limits. Administrators can additionally set daily per-teacher limits and disable AI features entirely.

Infrastructure

Google Cloud / Firebase infrastructure

Classfolio is built on Google's Firebase platform — a managed cloud infrastructure used by millions of applications worldwide. This means platform availability, maintenance, and infrastructure patching are managed by Google.

Firebase Hosting

Static web application files served via Firebase Hosting — a Google-managed CDN. No web server to patch or maintain.

Cloud Firestore

All application data is stored in Cloud Firestore — Google's fully managed, serverless NoSQL database with built-in encryption at rest, deployed in Google Cloud's London region (europe-west2).

Firebase Authentication

Authentication is handled by Firebase Auth — Google's managed identity service. No passwords are stored in Classfolio's own database.

Firebase Storage

Uploaded files (lesson images, resource documents) are stored in Firebase Storage — Google's managed object storage with encryption at rest, deployed in Google Cloud's London region (europe-west2).

Cloud Functions

Server-side processing (AI marking, data exports, GDPR operations) runs in Cloud Functions — Google's serverless compute platform, deployed in Google Cloud's London region (europe-west2).

Google Secret Manager

API keys and credentials (including the Gemini AI key) are stored in Google Secret Manager, not in application code or environment files.

Infrastructure maintenance is handled by Google. Firebase infrastructure availability, OS-level patching, and hardware maintenance are all managed by Google as part of the Firebase platform service.

Encryption

Data encryption

Classfolio encrypts data both in transit and at rest using standard Google Cloud / Firebase defaults. No additional application-layer encryption is applied — encryption is handled at the infrastructure level by Google.

Encryption in transit

All communication between users and Classfolio is encrypted using HTTPS/TLS, enforced by Firebase Hosting. Connections to the database and storage are also encrypted in transit.

Encryption at rest

Data stored in Cloud Firestore, Firebase Storage, and Cloud Functions is encrypted at rest by default using Google-managed encryption keys — the standard Google Cloud encryption model.

Secrets management

API keys, service credentials, and secrets are stored in Google Secret Manager. They are not stored in application code, environment files, or version control.

AI & Data

How AI is used safely

Classfolio uses Google Gemini to assist teachers with content creation and to mark student short answers. The integration is designed to minimise data exposure.

Teacher-activated only

AI is only called when a teacher explicitly uses an AI feature (generate lesson, mark response, generate resource). AI is never called automatically in the background.

No student identity data sent to AI

When student answers are sent to Gemini for marking, no student name, email, ID, or any personally identifying information is included in the request — only the question definition and the answer text.

Prompt injection protections

Student answer text is submitted as untrusted content in AI marking prompts. The model is explicitly instructed not to follow instructions embedded within student answers.

No AI model training on school data

School, teacher and student data is not used to train or fine-tune AI models. Classfolio uses the paid tier of the Google Gemini Developer API; under Google's paid-tier terms, data submitted is not used to train Google's models.

Rate-limited AI access

AI calls are rate-limited per user per feature with per-minute burst limits. Administrators can set daily per-teacher limits and disable AI features platform-wide.

Teacher review before publication

All AI-generated content is presented as a suggestion for teacher review and editing. AI does not publish content directly to students without teacher approval.

Data Management

Export, deletion and audit

Classfolio has server-side functions for data export, soft deletion, anonymisation and audit logging — built to support GDPR obligations and school data governance requirements.

Data export

Administrators can request a structured export of user data. Class analytics can be exported to XLSX.

GDPR request flow

Users can submit data access or deletion requests through the platform. Requests are tracked in an audited collection.

Soft deletion

Deleted accounts are soft-deleted with a 90-day retention window before permanent removal. Anonymisation is available for immediate identity removal.

Audit logging

Administrative actions are logged to a dedicated audit collection. Audit logs are retained for 365 days by default.

Transparency

What we don't yet claim

We want to be straightforward with IT teams and technical procurement staff about the current state of our security posture.

ISO 27001 or SOC 2 certification

Not currently certified. We rely on Google Cloud's own compliance certifications for infrastructure-level controls.

Specific uptime or availability SLA

Uptime is subject to Firebase platform availability. We do not publish a separate SLA.

Penetration testing certification

Penetration testing has not been independently verified. Security is reviewed internally.

Specific incident response timeframes

We are committed to responsible disclosure and prompt communication in the event of a security incident, but do not currently publish a formal SLA.

Related pages

GDPR & Data Protection

Data controller, processor, student privacy, subprocessors

Read more

Safeguarding

What Classfolio does and does not do in a school safeguarding context

Read more

Data Processing Agreement

DPA summary and how to request a signed agreement

Read more

Accessibility

Accessibility features and our commitment to inclusive design

Read more

Get in touch

Security and technical enquiries

If you have questions about Classfolio's security posture, infrastructure, or technical implementation — for a procurement review, DPIA, or IT sign-off — please get in touch.

hello@classfolio.co.ukData Processing Agreement