This page separates vendor documentation from Scholar Current production evidence. Vendor documentation explains what a provider supports. Production evidence is the screenshot, dashboard setting, contract, or export retained by Scholar Current to show how this specific account is configured.
The API uses PostgreSQL through DATABASE_URL; production database security therefore
depends on the Render/Postgres configuration.
Render documents AES-256 at-rest encryption for Render Postgres primary/replica instances and backups, plus TLS for external database connections.
Capture dashboard evidence for region, plan, PITR window, backup/export settings, external access rules, admin access, and restore process ownership.
| Area | What The Vendor Docs Say | Scholar Current Production Evidence Needed | Current Production Status | Owner / Review Cadence |
|---|---|---|---|---|
| Render Postgres encryption at rest | Render states that Render Postgres databases are encrypted at rest using AES-256, including primary instances, replicas, and backups. | Screenshot or saved PDF of the Render database page showing the production database, plan, region, and link to Render encryption/security docs used for the review. | Vendor documentedProduction evidence neededProduction database appears to be hosted in Render/Postgres, but the account-specific evidence file is not yet attached here. | Admin review before school contract review and at least once per term. |
| Database backup encryption | Render states that Render Postgres backup encryption is covered by the same AES-256 at-rest encryption statement. | Evidence from Render Recovery/Backups page showing enabled recovery/backup features for the production database, plus the current plan level. | Vendor documentedProduction evidence neededConfirm whether the current database plan is Hobby, Pro, or higher and record the backup/PITR features available. | Admin review after any database plan/storage change and at least once per term. |
| Backup retention and recovery window | Render documents point-in-time recovery for paid databases, with Hobby retaining three days and Pro or higher retaining seven days. Render logical exports are retained for seven days after creation. | Screenshot of the Render Recovery page showing the production database recovery window, logical export availability, and any created exports. Record whether extra off-platform backups exist. | Production evidence neededDo not assume the exact recovery window from code. Confirm the active database plan in Render. | Admin monthly review and after every plan/storage change. |
| Restore access and procedure | Render documents point-in-time recovery by creating a recovered database instance and logical export restore using downloaded export files. | Written restore runbook naming who may trigger PITR, who may download exports, where restore evidence is saved, and how restored data is validated before reconnecting production. | Runbook neededThe codebase has retention cleanup endpoints, but production database restore authority and steps still need dashboard-backed documentation. | Admin and technical owner review twice per year or after a restore drill. |
| External database access | Render documents internal and external database URLs and allows restricting external access by IP/CIDR or disabling external access. | Screenshot of Render database networking/access rules. Confirm whether external access is restricted and whether the app uses internal database URLs where possible. | Production evidence neededConfirm external access rules and connection string type in Render environment settings. | Admin review after any environment variable or database networking change. |
| Cloudflare Access / Pages logs and regional behavior | Cloudflare documents customer-log metadata boundary behavior and Logpush options for exporting logs to customer-controlled storage or SIEM systems. | Screenshot of Cloudflare Access application policies, admin users, log retention/export settings, and whether Logpush or Data Localization features are enabled. | Production evidence neededCloudflare is active for access/security, but log retention and export configuration need dashboard proof. | Admin review once per term and after changing Zero Trust policies. |
| GitHub repository and deployment access | GitHub stores private repository code and deployment history if connected to Render/Cloudflare. Repository history can retain removed content. | List of repository admins/collaborators, branch protection status, secret-scanning status, and confirmation that student data and production secrets are not committed. | Production evidence neededPrivate repos are active; access review evidence should be captured from GitHub. | Admin review once per term and immediately after collaborator changes. |
| Manual exports and local backup files | Manual exports, CSVs, privacy exports, database dumps, and downloaded Render logical exports are outside the database provider once downloaded. | Document where exports may be stored, who may create them, expected deletion timing, and whether local/cloud storage is encrypted. | Policy evidence neededAdmin export tools exist; local handling rules should be documented and followed. | Admin review before sending or storing any student-data export outside production systems. |