Trust & security

Trust, security and compliance

Schools entrust LemoBee with data about teachers, students and families. This page explains how we protect it.

Last updated: 2026-05-23

Security overview

Every response from lemobee.com ships with the following protections out of the box.

  • HSTS preload

    Strict-Transport-Security with preload directive. Browsers only ever connect to LemoBee over HTTPS.

  • Cross-origin isolation

    Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin block cross-window attacks.

  • Permissions Policy

    Camera, microphone, geolocation, payment, USB and interest-cohort APIs are all blocked at the browser level.

  • Clickjacking protection

    X-Frame-Options: SAMEORIGIN prevents external sites from embedding LemoBee in an iframe.

  • MIME-type pinning

    X-Content-Type-Options: nosniff stops browsers from guessing content types.

  • Referrer policy

    Referrer-Policy: strict-origin-when-cross-origin minimizes data leaked to third-party domains.

  • Content Security Policy

    CSP is enforced via middleware with per-request nonces — no inline script can execute without an explicit nonce.

Compliance roadmap

Where we stand on each major framework today.

  • SOC 2 Type I

    Audit in flight with target completion in Q4 2026.

    In progress

  • GDPR

    GDPR Data Processing Addendum (DPA) available on request for EU and Albanian customers.

    Available

  • FERPA

    FERPA-aligned data handling for US school customers; we act as a school official under the audited contractor exception.

    Aligned

  • COPPA

    COPPA-compliant data minimization for students under 13; parent / school consent flows enforced.

    Compliant

Sub-processors

The third-party providers we use to deliver the service.

ProviderPurposeRegion
VercelWeb hosting & edge networkGlobal edge
SupabaseDatabase & authenticationEU (Frankfurt)
AnthropicAI for the lemobee.com chatbotUS
MistralAI for teacher tools (worksheet generation)EU
GoogleWorkspace email & AnalyticsGlobal

Data residency

Where customer data lives at rest.

Default region

European Union (Supabase Frankfurt region)

Enterprise options

US and APAC data residency available on request for enterprise school customers.

Vulnerability disclosure

Found a security issue? We'd love to hear from you.

Email:security@kiwibee.io
Acknowledgement

Within 24 hours

Initial response

Within 7 days

Coordinated disclosure

90 days from initial report

Related policies

Other documents that shape how LemoBee handles data.

Privacy policy

What we collect, why, and how to manage your preferences.

Terms of service

The agreement that governs use of the platform.

Accessibility

Our WCAG 2.2 conformance statement and contact details.

Need our SOC 2 letter, DPA or sub-processor list?

Procurement, security or DPO teams can reach our team directly for evidence packs and questionnaires.

Contact securityTalk to sales