Security White Paper
How Ace the Test protects your data and your account
Last updated: May 2026
Security is foundational to Ace the Test. This white paper summarizes the technical and organizational measures we use to protect your account, your study materials, and your personal data. It is provided for transparency and may be updated as our service evolves.
Authentication & Account Security
- Sign-in is powered by Firebase Authentication, Google's managed identity platform.
- Sessions use short-lived ID tokens (JWT) that are sent only over encrypted connections in the Authorization header and are never kept in insecure browser storage.
- We support Google sign-in (OAuth 2.0) as well as email and password.
- Password resets and email verification use single-use, time-limited action codes.
- Sign-up, sign-in, and password reset are protected against bots and abuse by Google reCAPTCHA Enterprise.
Encryption & Secure Transport
- All communication between your browser and our servers is encrypted with HTTPS/TLS.
- HTTP Strict Transport Security (HSTS) enforces encrypted connections, and our Content Security Policy upgrades any insecure request to HTTPS.
- Data stored on our infrastructure is encrypted at rest by Google Cloud and Firebase.
Access Control & Data Isolation
- Storage security rules ensure that each user can only read and write their own files.
- Uploaded files are validated by type and limited in size (up to 100 MB) to prevent abuse.
- All other storage paths are denied by default.
- Every backend API request is authorized against your verified identity token.
Application Hardening
- A strict Content Security Policy (CSP) restricts which scripts, styles, and connections the application may load.
- Clickjacking is prevented with X-Frame-Options and frame-ancestors restrictions.
- Additional response headers block MIME-type sniffing, control referrer information, and disable access to the camera, microphone, and location.
- Cross-site scripting (XSS) is mitigated through React's automatic escaping, output-encoding of structured data, and a policy that forbids eval-based code execution.
Payment Security
- Payments are handled entirely by Stripe, a PCI DSS Level 1 certified provider.
- We never see or store your full card number or other sensitive payment credentials.
- Subscriptions are managed through Stripe Checkout and the Stripe Customer Portal.
AI Processing & Your Content
- AI quiz generation runs on our secured backend, not in your browser.
- AI provider API keys are stored in Google Cloud Secret Manager and are never exposed to the frontend.
- Your study materials are used to generate your quizzes and are not sold to third parties.
Privacy & Your Rights
- We practice data minimization, collecting only what is needed to operate the service.
- Deleting your account permanently removes your associated data, including materials, quizzes, and study sessions.
- For full details on how we handle personal data, please see our Privacy Policy.
Infrastructure & Operations
- The service runs on Google Cloud Platform (Cloud Run) and Firebase, benefiting from Google's infrastructure security.
- Dependencies are monitored for known vulnerabilities and updated regularly.
- Rate limiting and automatic retries protect the service against abuse and overload.
Reporting a Vulnerability
- If you believe you have found a security issue, please contact us through our website so we can investigate and respond responsibly.