Current controls
- Public site and APIs are deployed on Vercel with HTTPS.
- Payment card details are handled by Stripe Checkout, not collected directly by Math Foundation.
- The demo stores learner progress locally in the browser during the alpha period.
- School rollout forms should capture adult buyer and procurement details, not student personal information.
- Security headers include strict transport security, frame protection, content-type protection, and a restrictive permissions policy.
Current limitations
Production learner accounts, persistent server-side learner records, and school SSO are not yet represented as fully launched. Security review will be updated before those features are promoted.
Contact
Report security concerns privately to hello@math.foundation.