Security

We design the service so that sensitive operations are handled by established providers, access checks happen server-side, and private course material is not placed in public folders. No online service can be guaranteed to be risk-free, but we use practical controls to reduce exposure and protect user access.

• Payments, subscriptions, invoices, fraud checks, and payment method handling are processed by Stripe.
• NextPrep Academy does not store full card numbers, CVC codes, or raw payment card details on its own servers.
• Checkout is started from authenticated account sessions and sensitive payment events are synchronized through Stripe webhooks.
• Receipts, refunds, subscription state, and entitlement changes are based on Stripe payment records and server-side reconciliation.

• Authentication uses Firebase Authentication for email/password and supported OAuth providers such as Google or GitHub.
• The application creates its own server-side session using an httpOnly cookie, so client-side scripts cannot read the session token directly.
• Session tokens are stored hashed server-side and expire automatically.
• Email verification may be required before using gated features such as the AI Study Assistant.

• Course source files are kept outside the public web directory.
• The browser does not receive direct PDF or PPTX download links for protected course material.
• Course pages are requested through authenticated API routes that check the user session and paid access before returning page content.
• Direct download endpoints are intentionally disabled for protected files.

• The app is designed for deployment on Vercel and uses HTTPS in production.
• Production account, session, entitlement, purchase event, chat, and email queue data are stored through Firebase/Firestore when configured for production.
• Firebase Admin is used server-side only for privileged operations such as token verification, email verification checks, and password reset links.
• Transactional emails can be queued through Firebase Trigger Email from Firestore.
• AI Study Assistant requests are routed through the configured n8n webhook endpoint, with request size limits, rate limits, and daily credit controls.

• State-changing browser requests use trusted-origin checks where applicable.
• Sensitive API responses use private no-store caching headers where appropriate.
• Rate limits are applied to features that can be abused, including the AI assistant workflow.
• Stripe webhook processing includes idempotency patterns to reduce duplicate side effects.
• Secrets are expected to be stored as environment variables and must not be committed to the repository.

• Use a strong, unique password if you create an email/password account.
• Keep your email inbox and OAuth provider account secure, because they may be used for login or account recovery.
• Do not share your account, session access, private course content, or checkout links with unauthorized users.
• Contact us promptly if you notice suspicious account activity or an unexpected payment.

These security measures are provided for transparency and do not create a guarantee that the service will be uninterrupted, vulnerability-free, or immune from all unauthorized access. To report a security concern, contact info@paoloronco.it.