CodeTeach.ai is shifting to private GitHub template repos. New generation, validation, deployment, and purchases are temporarily paused while we finish the post-GitHub Classroom workflow with GitHub Actions autograding. Read GitHub's announcement.

CodeTeach.aiCodeTeach.ai

Breach Notification Policy

Last updated: April 19, 2026

Our commitment

If we discover a security incident that involves unauthorized access to, disclosure of, or destruction of customer data, we commit to notifying affected users within 72 hours of confirmed discovery. This timeline aligns with the GDPR Article 33 standard and is the benchmark we hold ourselves to regardless of whether GDPR formally applies to a given user.

What counts as a breach

For the purposes of this policy, a "breach" is any incident that results in:

  • Unauthorized access to user account credentials, encrypted secrets, or session tokens.
  • Unauthorized disclosure of user-generated content (wizard sessions, generated assignments, code uploads).
  • Decryption or extraction of stored API keys (Bring Your Own Key credentials for AI providers).
  • Compromise of payment metadata that we hold (Stripe customer IDs, purchase history).
  • Loss of database availability for more than 24 hours due to provider failure (treated as a confidentiality risk pending investigation).

What we will tell you

Notifications will be delivered to the email address on your account and will include:

  • The nature of the incident, in plain language.
  • The categories of data potentially affected for your account.
  • The steps we have already taken to contain the incident.
  • The steps we recommend you take (e.g. rotate API keys, change OAuth tokens, review GitHub App installations).
  • A point of contact for follow-up questions.
  • Where applicable, regulator and law-enforcement engagement.

What we will NOT do

  • We will not silently patch a known incident and hope nobody notices.
  • We will not delay disclosure beyond 72 hours to make ourselves look better.
  • We will not use a vague “security best practices” notification when we know specifically what data was exposed.

Post-incident review

Within 30 days of any incident notification, we will publish a post-mortem through direct incident communications and, when appropriate, a public incident notice describing what happened, the timeline, root cause, and the engineering changes made to prevent recurrence. Customer-identifying details will be redacted from any public version.

Reporting a suspected vulnerability

If you believe you’ve discovered a security issue affecting CodeTeach.ai, please email admin@codeteach.ai with the details. We will acknowledge within 1 business day and provide a remediation timeline within 5 business days. We do not currently run a bug bounty program, but we will publicly credit responsible disclosures (with your permission) on the /security page.