University readiness roadmap
This page is for the IT, security, and procurement teams who evaluate Twinbook — at universities and other institutions. It states honestly what exists today versus what is on our roadmap, so you can plan an evaluation without surprises. We will not list an artifact as "available" until it actually exists.
Last updated: 2026-06.
What exists today
| Area | Status | Notes |
|---|---|---|
| Encryption in transit & at rest | ✅ In place | HTTPS/TLS + HSTS; AES-256 at rest on enterprise cloud infrastructure (managed database, object storage, document store). |
| Authentication & access control | ✅ In place | Managed-provider auth (no password storage by Twinbook); per-request authorization; per-user/space data isolation; verified against cross-account access tests. |
| Secret management | ✅ In place | Credentials in a managed secrets manager, injected at deploy; not in source. |
| Internal/service-to-service auth | ✅ In place | Authenticated internal calls + cryptographic verification of queued events. |
| Rate limiting on auth endpoints | ✅ In place | Login / register / password-reset / email-check are rate limited. |
| Signed, expiring file access | ✅ In place | Cryptographically signed, document-bound, expiring tokens for PDF/image access. |
| Payment security | ✅ In place | Stripe (PCI-DSS L1); webhook signature verification; Twinbook stores no raw card data. |
| Subprocessor transparency | ✅ In place | Published Subprocessors list with change-notice under agreement. |
| Audit logging | ✅ Baseline | Auth, API, AI-usage, and admin-action logging. Expanding as part of SOC 2 readiness. |
| Deletion | ✅ In place | Account/space/content deletion across database, document store, and file storage; cascade-configured. |
| Note export & portability | ✅ In place | Export your notes — including the drawings and images inside them — at any time, in-app. Work is portable; no lock-in. |
| Internal security review | ✅ Done | Source-level audit + live endpoint verification completed pre-launch; findings remediated. |
| Data-processing agreement (DPA) | ✅ Available on request | FERPA-aligned addendum and DPA available for institutional agreements. |
On the roadmap
| Area | Status | Plan |
|---|---|---|
| HECVAT | 🟡 Roadmap | We will complete a HECVAT for active university evaluations and intend to publish one as we mature. The HECVAT consolidates cybersecurity, privacy, IT-accessibility, and compliance information for higher-ed vendors. |
| SOC 2 | 🟡 Roadmap | We are aligning controls to the SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Not yet certified. |
| Accessibility / VPAT | 🟡 Roadmap | Accessibility improvements underway; a VPAT is a planned artifact. |
| Self-serve memory controls | 🟡 Roadmap | In-app inspection and selective reset of learning memory (today this is handled via space/account deletion and support requests). |
| Account-level data export | 🟡 Roadmap | Note export (with drawings and images) is available today; a broader full-account data export is planned. |
| Third-party penetration test | 🟡 Roadmap | An independent pentest is planned to complement the internal review. |
| Network-level service isolation & infra hardening | 🟡 Ongoing | Continued defense-in-depth on the deployment perimeter beyond the app-layer controls already in place. |
| Admin / institutional controls | 🟡 Roadmap | Institution-level provisioning, role management, and oversight features. |
What we'll do for an active evaluation
For a university actively evaluating Twinbook, we can:
- complete your HECVAT (or equivalent security questionnaire),
- sign an NDA and a DPA / FERPA-aligned addendum,
- walk your security team through our architecture and controls,
- provide our subprocessor list with change notice, and
- agree to deletion / return terms for the end of the engagement.
How we talk about compliance (our commitment to you)
We will only ever describe a certification or artifact as "complete" when it genuinely is. Until then, you'll see "on our roadmap" or "available on request." If you ever see us overstate a compliance status, tell us — accuracy here is part of how we earn institutional trust.
To begin an evaluation, request a questionnaire response, or get our DPA, contact us.