STNDRD Security

Last updated: 5/8/26

STNDRD helps organizations create, manage, and deliver digital training and operational content. We handle customer data with care and use security practices designed to protect account information, organization data, training content, video, analytics, and spatial or location-related information.

This page describes STNDRD’s current security practices.

Data We Handle

Depending on how customers use STNDRD, we may process:

  • Account information, including names, emails, organization membership, and user roles

  • Organization and workspace data

  • Customer-created content, including standard work materials and uploaded images, videos, and related metadata

  • Training or usage activity

  • Product analytics, such as clicks, page views, and session activity

  • Application errors, bug reports, and system logs

  • AI-related requests and responses

  • Headset location/object metadata

  • Headset-captured images or video when a user intentionally takes an image or video

  • Location, spatial, or headset/device-related data where required by product functionality

We do not sell customer data.

Infrastructure and Providers

STNDRD uses established third-party providers to operate the platform. These providers support functions such as:

  • Authentication and authorization

  • Application hosting

  • Database and file storage

  • Video hosting and delivery

  • Product analytics and error monitoring

  • AI-enabled product functionality

  • Headset operating system and device services

  • Internal engineering and operational notifications

Technology Infrastructure

The platform is built on a U.S.-based core technology stack, with core hosting and data infrastructure deployed in the United States. STNDRD does not currently use China-based providers for core platform hosting, authentication, database, storage, or AI infrastructure. STNDRD uses established commercial service providers and industry-standard security measures to support secure operations and protect customer data.

STNDRD evaluates providers based on security maturity, operational reliability, and relevance to product needs. Some providers maintain their own independent security and compliance certifications. A list of subprocessors may be made available to customers under NDA or as part of an enterprise security review where appropriate.

Authentication and User Access

STNDRD uses email-code authentication through a third-party identity provider. Users access the platform with their email address and a time-limited verification code sent to that email address.

Customer access is organized around organizations and roles. Customer administrators can invite and remove users from their organization.

The headset app authenticates users through the STNDRD web login flow. After login, the headset uses an authentication token to request standard work information from the platform. The current headset integration primarily sends platform content to the headset for use in the application.

Internal Access and Least Privilege

STNDRD limits internal access to source code, production systems, customer data, deployment tools, databases, storage, logs, and related infrastructure based on role and operational need.

Authorized personnel are granted only the access reasonably needed to develop, operate, support, debug, or secure the service.

Access to production systems and customer data is limited to a small number of STNDRD founders and engineers who require access for operational purposes.

Certain authorized STNDRD engineering and administrative personnel may have system-level access across customer organizations for operational, support, debugging, and security purposes. Access is limited to approved personnel with a legitimate need to operate, maintain, support, or secure the service. STNDRD does not access customer organization data for unrelated purposes.

STNDRD uses MFA for critical internal systems where available. Access is removed when team members leave or no longer require access.

Personnel and Confidentiality

STNDRD personnel and contractors with access to sensitive company or customer information are subject to NDA, confidentiality, or similar restrictive obligations. Access is limited to authorized personnel with a legitimate business or operational need and is governed by internal access-control practices.

Encryption and Credential Handling

STNDRD uses HTTPS/TLS to encrypt data in transit between users and the STNDRD platform.

Authentication secrets, login codes, tokens, and related credentials are handled through STNDRD’s identity and infrastructure providers.

STNDRD relies on managed infrastructure and storage providers that support storage-layer security controls, including encryption at rest where available through those providers.

Customer Content Storage

Customer content may be stored across managed application infrastructure, video hosting infrastructure, database infrastructure, file storage, analytics systems, internal headset services, and local headset storage depending on product use.

Headset and Spatial Data

STNDRD’s headset app uses headset platform capabilities to place and retrieve training content in physical environments.

The headset may use or interact with:

  • Camera/pass-through capabilities

  • Microphone access

  • Spatial anchors

  • Hand tracking or controller interaction

  • Device identity

  • Local headset storage

  • Headset platform APIs and services

  • Location/object metadata used by the STNDRD headset app

STNDRD uses spatial anchors to associate customer content with physical locations. Spatial anchors are generally stored locally on the headset unless anchors are shared between devices. When anchors are shared between devices, anchor data may be stored by the headset platform provider for a limited period. Current engineering understanding is that this period is approximately 30 days.

STNDRD stores relative information about object positions, locations, linked standard work content, and metadata needed to operate the headset experience.

Images, Video, and Microphone

STNDRD does not capture headset camera data continuously. The headset may store a user-triggered image when a user takes a picture to represent or display a location. Image capture is always initiated by the user.

The headset app may access the microphone for voice input, such as speech-to-keyboard functionality. Audio may also be used for AI-enabled product functionality when routed through STNDRD’s backend and AI infrastructure providers.

Local Headset Storage

The headset may cache customer content and related metadata locally to support product functionality and reduce repeated downloads.

Product Analytics, Logs, and Session Data

STNDRD collects product analytics, logs, errors, and session data to operate, debug, secure, and improve the platform. Access to these systems is limited to authorized STNDRD personnel.

STNDRD is continuing to formalize retention periods for application logs, analytics, uploaded content, headset metadata, and operational records. Retention may vary by data type, customer contract, product configuration, and legal or operational requirements.

Customer Content

Customer content belongs to the customer organization.

STNDRD may access customer environments for support, demos, troubleshooting, implementation work or security-related investigation when the relevant customer has granted organization access access or where access is otherwise required to operate or secure the service.

STNDRD does not impersonate customer users. When STNDRD participates in a customer organization, the STNDRD user appears as an authorized user in that organization.

AI Use

STNDRD uses AI infrastructure providers to support product functionality.

AI-related requests and responses may be processed through STNDRD’s backend, AI infrastructure providers, and analytics systems for product operation, debugging, improvement, and analysis.

STNDRD does not sell customer AI-related data.

Software Development Practices

STNDRD uses version control, hosted deployment infrastructure and source control tooling for software development.

Current development practices include:

  • Version-controlled source code

  • Source control permission management

  • Code review for most changes made by engineers other than the engineering lead

  • Functional review and manual QA before release

  • Controlled deployment through hosted application infrastructure

  • Manual production promotion where configured

  • Dependency and vulnerability awareness through provider tooling

  • Rapid deployment practices to address bugs, product issues, and security concerns

STNDRD follows a rapid deployment model designed to support fast product iteration while maintaining engineering review and operational oversight.

Vulnerability Management

STNDRD monitors security issues through provider tooling, dependency alerts, and engineering review.

When a security issue is identified, the engineering team assesses severity, customer impact, and remediation priority.

Security testing and review are currently handled through engineering review, provider tooling, dependency alerts, and customer-driven enterprise review where applicable.

Data Retention, Export, and Deletion

STNDRD retains customer data, analytics, logs, headset-related metadata, and related operational records based on product and operational need.

Certain spatial anchor data may be retained by the headset platform provider for a limited period when anchors are shared across devices. Current engineering understanding is approximately 30 days.

Customers may contact STNDRD to request data deletion or export, subject to contractual, technical, legal, and operational limitations.

Backup and Recovery

STNDRD relies on managed cloud infrastructure and storage providers for platform availability, redundancy, and recovery capabilities.

Backup and recovery practices are being formalized as part of STNDRD’s enterprise security roadmap.

Incident Response

If STNDRD identifies a potential security incident, our team will work to:

  • Investigate the issue

  • Contain the impact

  • Preserve relevant logs and evidence

  • Remediate the underlying cause

  • Document what happened

  • Notify affected customers where required by law, contract, or material impact

Security incidents are handled by STNDRD leadership and engineering personnel.

Responsible Disclosure

If you believe you have found a security issue in STNDRD, please contact:

rayd@youar.io

Please include:

  • A description of the issue

  • Steps to reproduce it

  • Any affected URLs, users, organizations, or systems

  • Your contact information

We ask that researchers avoid accessing, modifying, deleting, or sharing customer data and give us reasonable time to investigate before public disclosure.

Compliance

STNDRD uses established infrastructure and software providers with their own security and compliance programs, including provider-level controls, audits, and certifications where applicable. STNDRD continues to strengthen its internal security and compliance practices as customer and enterprise requirements grow.

STNDRD is actively improving its internal security practices as customer and enterprise requirements grow.

Insurance

Information about STNDRD’s applicable insurance coverage may be provided to enterprise customers during procurement or security review.