Trust center / public engineering posture

Security controls, limitations and the work still in progress.

This overview describes current application safeguards without implying a certification or audit that Examo has not completed.

FIELD NOTE 01

Identity and access

Access tokens use pinned verification, refresh tokens are stored as hashes and rotated atomically, and password resets revoke refresh sessions. Sensitive artifact endpoints verify ownership and hide cross-account existence.

  • Hashed refresh sessions
  • Atomic rotation
  • Owner-scoped artifacts

FIELD NOTE 02

AI and file boundaries

Tool arguments, uploads and extracted content are validated on the server. Loki treats retrieved and webpage content as untrusted data and requires confirmation before an action spends quota or mutates state.

  • Tool allowlist
  • Prompt-injection boundaries
  • Archive and image limits

FIELD NOTE 03

Known maturity limits

Examo has not represented itself here as SOC 2 or ISO 27001 certified. Horizontal worker durability, institutional tenancy and independent penetration testing remain roadmap gates.

  • No invented certification
  • Published limitations
  • Responsible disclosure contact

Direct answers

Questions people should ask before signing up.

Review the evidence register
Where should I report a vulnerability?

Send a reproducible report to security@examo.me. Do not access data that is not yours or disrupt the service.

Is Examo independently certified?

No certification is claimed on this page. Contractual or audit evidence should be requested directly before institutional procurement.

Are uploaded files public?

Course files and generated private artifacts are intended to remain access-controlled unless the user explicitly uses a sharing feature.

Make the next step concrete

Use the product, inspect the controls, and judge it against your real course.

Contact security
Security controls, limitations and the work still in progress. | Examo