Security

Current posture

CourseKit is a public no-account web app. The safest path for a tool like this is to keep as much processing in the browser as possible, avoid persistent user accounts, and minimize what reaches the server.

Browser-first by design

• Alt-Scan runs in the browser for DOCX, PPTX, and tagged-PDF checks.
• Course Analyzer runs in the browser for IMSCC course exports.
• Question Bank Formatter processes pasted text and uploaded TXT, DOCX, and PDF files in the browser.

Data handling

• No account is required to use CourseKit.
• Uploaded file contents are not stored after processing.
• No third-party analytics or tracking scripts are loaded by the app.

More detail is available on the privacy page.

Security controls

• HTTPS on production hosting
• Frame embedding blocked
• MIME sniffing disabled
• Referrer policy enabled
• Content Security Policy and browser permissions hardening
• Browser-first processing for the highest-risk file analysis flows

Responsible disclosure

If you believe you found a security issue, email victoriglesiascs@gmail.com. A machine-readable disclosure contact is also available at /.well-known/security.txt.

Legacy upload endpoints

Older server upload endpoints for Course Analyzer, Alt-Scan, and Question Bank Formatter now return 410 Gone. Current supported tool flows process files in the browser and do not use those endpoints for analysis or formatting.

Compliance status

CourseKit does not claim SOC 2, ISO 27001, HIPAA, FERPA certification, VPAT completion, WCAG conformance certification, ADA compliance certification, LTI certification, official QM certification, or FIU approval. CourseKit is a workflow tool that institutions may review under their own policies.

Limits

CourseKit is a practical workflow tool, not a formal compliance certification platform. Institutional reviewers should validate privacy, accessibility, procurement, FERPA, records-retention, and security requirements before recommending CourseKit for sensitive or regulated data.