You trust AdmitPlatform with your students' futures. We take that responsibility seriously—with enterprise-grade security baked into every layer of the platform.
Data at rest is encrypted using AES-256. Data in transit is protected with TLS (requiring TLS 1.1 minimum, with TLS 1.3 supported) and we enforce HTTPS with HTTP Strict Transport Security (HSTS). Database connections outside the private network require TLS, and all third-party integrations use encrypted channels.
Authentication is powered by WorkOS, the same identity platform trusted by companies like OpenAI, Vercel, and Loom. Sessions are sealed and encrypted, with secure cookie settings including HttpOnly, SameSite, and Secure flags.
We enforce a strict Content Security Policy with nonce-based script execution to defend against cross-site scripting (XSS) attacks. Every resource type is explicitly whitelisted, and violations are reported to our monitoring system in real time.
AdmitPlatform runs on Render, a SOC 2 Type II certified hosting platform. Production and development run in network-isolated environments—they never share infrastructure. Our PostgreSQL database is managed with automatic backups, IP-restricted access, and encrypted connections.
All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. Credit card numbers never touch our servers. Billing data is managed entirely within Stripe's secure environment.
We run real-time error and exception monitoring across both our backend and frontend, with CSP violation reporting to catch injection attempts early. Uptime is continuously tracked, and our public status page lets you check platform health any time.
Beyond the big-ticket items, we follow industry best practices at every level.
Every state-changing request is validated with CSRF tokens. Cross-origin requests are restricted to explicitly trusted origins.
X-Frame-Options and CSP frame-ancestors headers prevent AdmitPlatform from being embedded in malicious iframes.
A strict referrer policy prevents sensitive URL data from leaking to third-party services.
All cookies are configured with Secure, HttpOnly, and SameSite flags to prevent interception and cross-site attacks.
Our production database is restricted by IP allowlists and requires encrypted connections. Backups are automated and managed by our hosting provider.
Every deployment runs database migrations and verifies integrity before live traffic is served. No manual server access required.
Static assets are served through Cloudflare's global CDN with built-in DDoS mitigation.
We actively monitor and update third-party dependencies to patch known vulnerabilities. Version pinning minimizes supply chain risk.
We collect only the data necessary to deliver our services. We never sell your information. For full details, see our Privacy Policy.
Have a security question or want to report a vulnerability? We'd love to hear from you. If you believe you've found an issue, we ask that you give us reasonable time to investigate before making any information public.