Security

All data sent between your device and K12 Crafter is encrypted in transit using HTTPS. The information we store is held with hosting providers that encrypt data at rest.

Passwords are stored as secure one way hashes, never as plain text. Admin access uses a second factor and is limited to the people who need it to run the service. Child profiles have no login of their own and cannot be used to sign in on their own.

We do not trust data from the browser. Practice answers are graded on the server, and the correct answer is not sent to the page ahead of time. Prices and access to paid content are confirmed on the server, so changing data in the browser does not unlock anything.

Worksheet files are stored in a private, access controlled bucket. Download links are signed and short lived, so a link cannot be shared to give others lasting access to your files.

Sign in, checkout, and practice endpoints are rate limited to slow down brute force attempts and scraping. Repeated failed logins trigger a temporary lockout.

We collect as little as possible from children: a first name or nickname, a grade, and practice progress, nothing more. Child profiles cannot start purchases or change account settings, and the kid zone gives a child no way to share personal information with others. We never show ads to children and we never sell personal information. See our children's privacy section for details.

Payments are handled by Stripe. Card details go directly to Stripe and are never stored on our servers.

We monitor for issues and work to detect, contain, and fix security problems quickly. If an incident affects your personal data, we will notify you and take the steps the law requires.