Riakoo

Security

Last updated: June 8, 2026

Our Security Commitment

Security is core to Riakoo's design. We protect exam integrity and participant data using industry-standard practices at every layer of the stack.

Infrastructure

  • Hosting — deployed on Vercel with automatic TLS (HTTPS) on all connections.
  • Database & Storage — Google Firebase (Firestore and Cloud Storage) with server-side security rules that enforce strict per-user and per-role access control.
  • Authentication — Google OAuth via Firebase Auth. Session tokens are stored in HTTP-only, Secure, SameSite cookies; never in localStorage.

Data Protection

  • Passwords — participant passwords are hashed with bcrypt (cost factor 10) before storage. Plain-text passwords are never written to disk or logs.
  • Exam answers — correct answers are stored server-side only and never returned to the browser, even during an active exam session.
  • Encryption at rest & in transit — all data in Firestore and Cloud Storage is encrypted at rest by Google. All traffic is encrypted in transit via TLS 1.2+.
  • Webhook integrity — payment webhooks from Lemon Squeezy are verified using HMAC-SHA256 before any database write.

Application Security

  • All API routes validate the caller's session and enforce ownership checks — a proctor cannot access another proctor's exams, and participants cannot read other participants' sessions.
  • Input validation and allowlist-based PATCH endpoints prevent mass assignment and unauthorized field writes.
  • Content Security Policy (CSP) and security headers are configured at the edge to mitigate XSS and clickjacking.

Proctoring Data

  • Screenshots are uploaded directly to Firebase Cloud Storage via the server-side API. Clients never receive a writable storage URL.
  • Storage security rules block any client-side writes; only the Admin SDK (running on the server) can write screenshots.
  • Proctoring data is scoped per session and accessible only to the exam owner (proctor).

Vulnerability Disclosure

We take vulnerability reports seriously. If you discover a security issue, please disclose it responsibly:

  1. Email support@riakoo.com with a description of the vulnerability and steps to reproduce.
  2. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and patch (typically 30 days).
  3. We will acknowledge your report within 48 hours and keep you updated on our progress.

We are grateful to security researchers who help keep Riakoo safe.

Contact

For security inquiries: support@riakoo.com
General questions: hello@riakoo.com