Security overview
Draft — under counsel review · 2026-07-04
What actually protects your family's information — stated only as far as it is true today. As protections land, this page grows; it never runs ahead of the code.
Signing in
Passwordless email links that work once and expire in 15 minutes. Each guardian has their own account; a new device requires an extra email confirmation before it is trusted, and sensitive actions (payments, decisions) re-confirm your identity at the moment you act.
Access control
Row-level security in the database — not just the app — scopes every read: guardians see their own family (as custody arrangements allow), invited Legacy Circle members see only what you have explicitly shared, staff see by role, and campuses in different networks are completely isolated. These rules are covered by an automated policy test suite that runs before every release.
Sensitive documents
IEP/504 and similar documents are encrypted with keys held outside the database, readable only by the Admissions Director and Registrar, and excluded from every marketing or analytics system.
Audit trail
Every change to family data writes an audit record in the same transaction. The audit table is append-only at the database level — revoking edit rights from every system role, including our own servers.
Payments
[PENDING counsel] — final language lands only after counsel review.
Card details never touch GT systems — payments are processed by Stripe (PCI SAQ-A posture). Full statement lands with the payments release.
Subprocessors
[PENDING counsel] — final language lands only after counsel review.
The complete list of vendors that process family data, with what each one sees, will be published here before launch.
Reporting a concern
[PENDING counsel] — final language lands only after counsel review.
A dedicated security contact and disclosure policy will be published here before launch. Until then, reach the admissions team directly.