Security

Lectame is used in education and training. In doing so, data from teachers, organisations and — indirectly — participants is involved. We handle this carefully and try, where possible, to limit the amount.

The text below describes the measures in broad terms. Educational institutions that need additional details (e.g. for a procurement process) can request further documentation via [email protected].

We design Lectame so that as little data as possible is needed:

• Participants in a live session do not need an account and choose their own display name — a pseudonym is enough.
• For guests ("Start for free") we use a random identifier in an HttpOnly cookie instead of an account registration.
• We do not ask for a date of birth, telephone number or address details at account registration.
• Logs are not kept longer than necessary (see the privacy policy).

Lectame runs on infrastructure within the European Union. Our primary database and authentication service are located in an EU region of Supabase; the application server is hosted by Hetzner in Falkenstein, Germany.

For the global edge network (CDN, DNS and protection against attacks) we use Cloudflare. Edge processing may take place outside the EEA; for this, the EU-US Data Privacy Framework applies with additional Standard Contractual Clauses.

• In transit: all our connections run over HTTPS with modern TLS standards and HSTS.
• At rest: storage takes place on platforms that apply encryption at the storage level by default.
• Passwords: stored as hashed values via our authentication provider — we never see your password in readable form.

• Two-factor authentication (TOTP) is available for accounts.
• Logging in from an unknown location, or after logging out, requires re-authentication.
• Abuse-mitigation measures prevent brute-force attacks on passwords.
• For each account, the user can view and end active sessions.

At the database level, strict rules enforce that a user can only access their own data. For sharing presentations or collaborating with colleagues, there is a separate authorisation model in which the owner determines who may do what.

Within our team, access to production systems is limited to what is needed for maintenance, based on segregated roles and audited access.

We monitor error messages, availability and suspicious requests within our own infrastructure. We do not use external error-monitoring services into which personal data could unintentionally end up.

In the event of a possible security incident, we follow an internal procedure: triage → contain → analyse → remediate → document → learn. For data breaches, the following applies:

• Lectame as data processor: we inform the client (the school or organisation) without undue delay after becoming aware. The client then assesses whether notification to the supervisory authority and data subjects is necessary. We support this with the information required.
• Lectame as data controller: in that case we assess ourselves — based on the GDPR risk assessment — whether, and if so within what timeframe, notification to the supervisory authority and the data subjects is necessary.

Our databases are backed up in accordance with the platform policies of our providers. Backups are encrypted and remain within the EEA. Rotating backups may still be present briefly after a deletion request; under the regular backup schedule they disappear automatically.

We use carefully selected suppliers. An up-to-date list — including location and legal safeguard — can be found in our privacy policy and in the data processing agreement. For changes to suppliers, the procedure from the data processing agreement applies.

• AI requests are sent to our AI supplier over an encrypted connection.
• The interface explicitly warns users not to include personal data, patient data or confidential information in prompts.
• We do not use user material or participants' answers to train AI models.

• Participants use only a session code and a self-chosen display name.
• Analytics are not loaded on participant pages without consent.
• Answers are visible only to the teacher or organisation administrator who runs the session.

We appreciate reports from security researchers and users. Email your report to [email protected]. Preferably with:

• A concise description of the issue.
• Reproduction steps or a proof of concept.
• The impact as you assess it.
• The way in which you tested your finding (date, environment).

We confirm receipt of your report and get back to you as soon as we have reached a conclusion. We aim for careful follow-up; we deliberately do not commit to firm response times. Anyone who adheres to these agreements can count on a cooperative and non-legal stance from Lectame.

Schools and organisations that need additional information — for example for a DPIA, procurement or internal IT review — can get in touch via [email protected]. We make additional documentation available under confidentiality agreements.