TrainOS

Security & Trust

This page is maintained by TrainOS to answer common security and privacy questions about the app. It describes controls currently enabled — it is not an independent certification.

Authentication

Passwords are hashed by our authentication provider and screened against the Have I Been Pwned breached-password list, so users cannot reuse a known-compromised password. Google sign-in is supported. Sessions are stored in the browser and refreshed automatically; signing out revokes them on all tabs.

Access control

Trainer contact details, uploaded certificate files, company records and administrative actions are protected by row-level policies in the database. UI checks are a convenience layer only; the database rejects any request that violates the policy, even if the UI is bypassed.

File storage

Uploaded certificate files are kept in a private bucket. Access is granted only through short-lived signed URLs (60 seconds) issued to signed-in users with an active pass, admins, or the file's owner. Direct links do not work outside that window.

Transport and infrastructure

All traffic is served over TLS. The app runs on a managed serverless edge network with DDoS protection. Backups and monitoring are handled by our database provider.

Data separation

Trainer profile data, company data and administrative data are separated by database policies scoped to auth.uid() and by dedicated administrator role checks. No client code can escalate to the service-role key.

Responsible disclosure

If you find a vulnerability, please email hello@thetrainos.com with steps to reproduce. We commit to acknowledging within two business days and to not pursue researchers who report in good faith and do not exfiltrate data or degrade the service.

Related