UniRubric
← SecurityUniRubric — Architecture Brief2026-05-15
For institutional security reviews

Production architecture, in one page.

The diagram below is the same one we use in the 90-second architecture explainer video on this site. It is LMS-agnostic by design — the labelled "Your LMS" box is whichever platform your institution runs.

AP-SOUTHEAST-2 · SYDNEY (DEFAULT TENANT REGION)Your LMSCanvas, Moodle, Blackboard, Brightspace, Sakai…CloudflareDDoS · WAF · TLS 1.3VercelNext.js 15 functions · Sydney edgeSupabase PostgresAES-256 at rest · RLS · pgcrypto PIIAnthropicInference · no retentionaudit_log + RLS-enforced tablesEvery privileged action, immutableLTI 1.3 / OIDCTLS 1.3INFERENCEEU + US REGIONS AVAILABLE ON CONTRACT
Figure 1 — UniRubric production architecture, AU-pinned by default.

Data residency

Primary region
ap-southeast-2 (Sydney). All Supabase Postgres tenants and Vercel Functions for AU customers pinned here.
EU region
eu-central-1 (Frankfurt). Available on contract for institutions with GDPR sovereignty requirements.
US region
us-east-1 (Virginia). Available on contract.
Cross-region replication
None by default. Tenant data does not leave its pinned region without explicit contract terms.
Inference compute
Anthropic API. Inference traffic egresses to the nearest Anthropic region. Submission text leaves the database in a TLS 1.3 tunnel, is processed in-memory by the inference service, and is not retained by Anthropic past the response.

Encryption posture

In transit
TLS 1.3 enforced end-to-end. HSTS preload submitted. Internal service-to-service traffic over TLS within AWS VPC perimeters.
At rest (database)
AES-256 via Supabase managed Postgres.
At rest (field-level PII)
pgcrypto applied to student names and email addresses in the B2C tier. Institutional tier uses LMS-issued identifiers, not raw email.
Secrets
Vercel encrypted env vars (per-project, per-environment). Rotation cadence documented in master spec §23.
JWKS / LTI signing
ES256 (P-256). Public JWKS at https://app.unirubric.com/lti/jwks.

Tenant isolation

Tenants are isolated at the database row level via Supabase Row-Level Security (RLS) policies, enforced at every read and write. Every table that holds tenant data has a policy that restricts access to rows scoped to org_id = current_tenant() or, for B2C accounts, to user_id = auth.uid(). Service-role keys (which bypass RLS) are segregated by purpose and never sent to the browser. Cross-tenant access requires both a service-role key and explicit code in a server-only route — there is no path from one tenant’s session to another tenant’s data.

Sub-processors

The full sub-processor list — purpose, region, and data category for each — is published at /contracting/legal/subprocessors. Material changes require 30 days’ notice to tenants.

Audit

All privileged actions write to an immutable audit log at insertion. Schema-level: every grading_runs approval, deletion, and override is recorded with the actor, timestamp, and prior state. Platform-level: Supabase Postgres audit log, Vercel function logs, Cloudflare access logs, all retained 90+ days. Tenant-scoped audit exports available on request.

Companion documents

This brief is one document in a bundle accessed by CISO, CIO, and IT-admin reviewers via the gated form at /security. Companion documents in that bundle:

  • → CAIQ-Lite v4 pre-fill (XLSX)
  • → Sub-processor list
  • → Compliance attestations index
  • → LTI 1.3 conformance statement
  • → Encryption posture detail
  • → Incident response runbook
UniRubric · info@unirubric.com