Security at Practiz

Last updated: July 2026

Colleges trust Practiz with something sensitive: how their students perform under pressure. Here is exactly how that data is protected — in plain language, with nothing on this page we can't back up in the product.

Your college's data lives in its own tenant

Every record — student, interview, transcript, score — is scoped to your institution. That scoping is enforced in the database layer on every query, derived from the authenticated session, never from request parameters. One college can never read another's data.

Access is role-based, end to end

  • Four roles (administrator, staff, student, platform operator), each with scoped permissions baked into short-lived session tokens.
  • Passwords hashed with bcrypt; refresh tokens stored only as hashes.
  • Repeated failed logins are rate-limited and lock the account temporarily.
  • Live interview connections authenticate with single-use tickets that expire in seconds — long-lived credentials never appear in URLs.

Transport and application hardening

  • All traffic is encrypted in transit (TLS), with HSTS enforced.
  • Strict security headers throughout: frame embedding denied, content-type sniffing disabled, referrer information minimized, and microphone/camera access limited to interview screens.

Interview integrity

Assessment sessions record eight integrity signals — tab switches, window focus, camera and microphone state, fullscreen exits, copy/paste attempts and more — summarized into an integrity score on every report. Flagged sessions are queued for faculty review, not auto-punished.

Humans stay in charge

  • Faculty can override any AI-generated score, with a written reason recorded to an audit trail.
  • Students can appeal any result; staff review appeals per question with the full transcript open.

Data lifecycle

  • Interview audio is processed to produce transcripts and spoken responses during the session; transcripts and scores are retained so reports remain auditable.
  • Detailed interview chat logs follow a 90-day hot-retention policy before archival.
  • Deletions are soft-deleted first, then purged on a defined schedule — so accidental removals are recoverable and intentional ones are real.

What we don't claim

We are an early-stage company. We do not yet hold SOC 2 or ISO 27001 certification, and we won't imply otherwise with badges. What we will do is answer any security questionnaire your IT team sends us, honestly and quickly.

Reporting a vulnerability

Found something? Write to security@practiz.ai. We read every report and respond to genuine findings.