ExamPilotExamPilot
← Back to Home

Security & Vulnerability Disclosure

Last updated: April 2026

Protecting your data is a core responsibility. This page explains the security measures we have in place and how security researchers can responsibly report vulnerabilities.

1. Infrastructure

ExamPilot is hosted on Vercel (SOC 2 compliant). All data in transit is protected with TLS 1.3 encryption, and all data at rest is encrypted using industry-standard encryption algorithms. We enforce HTTPS across the entire platform — there is no unencrypted access to ExamPilot.

2. Authentication

User authentication is handled by Clerk (SOC 2 compliant). We do not store passwords on our servers. Clerk manages all authentication flows, including multi-factor authentication, social sign-in, and session management. This means your login credentials are handled by a specialist provider with robust security practices.

3. Payments

All payment processing is handled by Stripe (PCI DSS Level 1 certified — the highest level of payment security certification). We never see, store, or have access to your full card details. Your payment information goes directly to Stripe through their secure, tokenised payment flow.

4. Data Storage

Your study data, progress, and account information are stored in Convex, an encrypted database hosted in the US-East region. All data is encrypted at rest and in transit. Access to the database is restricted to authenticated application requests only.

5. Responsible Disclosure

If you discover a security vulnerability in ExamPilot, we encourage you to report it responsibly. Please send details to security@exampilot.help. We ask that you:

  • Provide a clear description of the vulnerability and steps to reproduce it.
  • Give us reasonable time to investigate and fix the issue before disclosing it publicly.
  • Do not access, modify, or delete other users' data during your research.

6. What to Report

We are interested in hearing about the following types of vulnerabilities:

  • Cross-site scripting (XSS)
  • Authentication bypass
  • Data exposure or leakage
  • SQL injection or other injection vulnerabilities
  • Privilege escalation
  • Any other issue that could compromise user data or platform security

7. Safe Harbour

We value the work of security researchers and believe responsible disclosure makes everyone safer. We will not pursue legal action against researchers who act in good faith and follow the responsible disclosure guidelines outlined above. If you make a good-faith effort to avoid harming our users and report the issue promptly, we consider your actions to be authorised.

8. Data Breach Policy

In the unlikely event of a data breach, we will notify affected users within 72 hours in accordance with UK GDPR Article 33. Our notification will include a description of the breach, the types of data affected, the steps we are taking to address it, and recommendations for how you can protect yourself. We will also notify the Information Commissioner's Office (ICO) as required by law.

9. Contact Us

For security-related matters, please reach out: