eduSeed Zoom Integration Security Policy
This Security Policy describes the baseline security practices used for the eduSeed Zoom integration and the responsibilities associated with operating that integration and its supporting services.
1. Purpose
eduSeed is committed to protecting the confidentiality, integrity, and availability of data processed through the eduSeed Zoom integration, including instructor workflows, administrative data, OAuth connection data, transcript content, and generated draft summary data.
2. Scope
This policy applies to:
- the eduSeed web application;
- Supabase-hosted backend services and databases used by eduSeed;
- Edge Functions and application integrations, including Zoom; and
- team members or operators with access to production systems or sensitive configuration.
3. Security Principles
eduSeed follows these core principles:
- least-privilege access wherever practical;
- role-based access control for application users;
- defense in depth across authentication, transport, storage, and operational controls;
- secure handling of secrets and integration credentials; and
- human review of sensitive content before it is relied upon operationally.
4. Authentication and Access Control
- Application users authenticate through managed Supabase Auth workflows.
- Access to application data is restricted by role and authorization rules.
- Database Row Level Security (RLS) is used for protected tables where applicable.
- Administrative access is limited to authorized personnel.
- Sensitive operational credentials are stored in managed secrets and are not intended to be hardcoded in source code.
5. Transport Security
- eduSeed is intended to use HTTPS/TLS for all production web and API traffic.
- Third-party API traffic involving Zoom and other integrations is transmitted over HTTPS.
- Sensitive data is not intended to be transmitted over insecure plaintext channels.
6. Data Protection
- Zoom OAuth access tokens and refresh tokens are encrypted before storage.
- Access to production data is restricted to authorized systems and personnel.
- Application records are stored in managed cloud infrastructure with logical access controls.
- Transcript-derived draft summaries are stored in application data stores so authorized instructors and administrators can review and edit them.
7. Zoom Integration Security
The eduSeed Zoom integration uses the following controls:
- individual Zoom account authorization using Zoom OAuth;
- encrypted storage of Zoom OAuth tokens at rest;
- validation of Zoom webhook requests using Zoom secret token and
x-zm-signature; - request timestamp verification to reduce replay risk; and
- event deduplication and controlled processing of recording-related webhook events.
Public webhook endpoints are protected by provider-specific signature verification rather than end-user session authentication.
8. Application Development Practices
eduSeed aims to follow secure development practices including:
- use of version control for application code;
- review of code changes before deployment where feasible;
- use of environment-managed secrets;
- testing in development environments before release; and
- dependency and configuration maintenance as part of normal engineering workflow.
9. Logging, Monitoring, and Vulnerability Management
- Operational logs may be collected for reliability, debugging, and audit purposes.
- Security-sensitive or administrative events may be recorded for accountability and troubleshooting.
- Logs should not intentionally store secrets in plaintext.
- Security issues identified through internal review, bug reports, vendor notices, or dependency advisories should be assessed and prioritized based on severity and exposure.
- Reasonable efforts should be made to remediate high-risk issues in a timely manner.
- Access credentials and integration secrets should be rotated when compromise is suspected.
10. Incident Response
If a suspected security incident occurs, eduSeed operators should:
- assess and contain the issue;
- review logs and impacted systems;
- rotate relevant secrets or revoke affected integrations where necessary;
- remediate the root cause where possible; and
- notify affected parties when required by law, contract, or internal policy.
11. Third-Party Services
eduSeed relies on third-party infrastructure and integrations, including Supabase, Zoom, and AI service providers used in workflow processing. These providers maintain their own security programs and contractual terms. eduSeed's security posture depends in part on the secure operation of those services.
12. Responsible Disclosure
Security concerns or suspected vulnerabilities should be reported to:
- Security contact: info@eduseed.in
13. Policy Maintenance
This policy should be reviewed periodically and updated when there are material changes to eduSeed's architecture, integrations, or security practices.