Skip to main content
History Hack

Data Flow Architecture

TroopToTeacher Technologies · Security Documentation

Last Updated: April 2026

Key Fact: History Hack collects zero student PII. All progress data stays in the browser. The API is read-only. No data flows to third parties beyond Microsoft Azure infrastructure.

Application Architecture

Student’s Browser

Where the student interacts with History Hack

  • Loads static HTML, CSS, and JavaScript from CDN
  • Renders all pages and interactive content client-side
  • Stores progress, scores, and preferences in localStorage
  • localStorage data never leaves the device
HTTPS requests (read-only)

Azure Static Web Apps (CDN)

US-based resource

Global content delivery network

  • Serves pre-built HTML, CSS, JS, and font files
  • No server-side processing — purely static file delivery
  • No user data is collected or logged
  • TLS 1.2+ encryption for all connections
API calls (read-only, no user data sent)

History Hack API (Azure App Service)

Canada Central*

Read-only content delivery API (tRPC)

  • Accepts only unit selection parameter (e.g., "unit-1")
  • Returns curriculum content: quiz questions, vocabulary, bios, etc.
  • No user data is accepted, processed, or stored
  • No authentication data processed (yet)
  • No write operations — entire API is read-only
SQL queries (content retrieval only)

Azure SQL Database

Canada Central*

Curriculum content storage

  • Stores 1,452 quiz questions, 561 matching games, 246 identification items
  • Stores vocabulary, biographies, primary sources, fact cards, timelines
  • Contains ZERO student records — only educational content
  • Transparent Data Encryption (TDE) for data at rest
  • Access restricted to API service identity only

*Migration to US Azure region (East US 2) planned for completion by June 1, 2026.

Browser localStorage (On-Device Only)

localStorage

Data that stays on the student’s device

  • Quiz scores and attempt history (progress-store)
  • Saved custom quizzes (quiz-store)
  • Language preference: English or Spanish (language-provider)
  • Text-to-speech voice and speed settings (tts-provider)
  • Font size / reading settings (reading-settings-provider)

Important: All localStorage data is controlled entirely by the browser. TroopToTeacher Technologies has no access to, no visibility into, and no ability to retrieve this data. Schools can clear it via browser settings or MDM policies at any time.

What Does NOT Happen

No student PII is collected
No data sent to analytics services
No data sent to advertising networks
No data sent to AI/ML services
No data sent to social media platforms
No cookies or session tracking
No user behavior tracking
No cross-site tracking or fingerprinting

Sub-Processors

ProviderServicePurposeStudent Data
Microsoft AzureStatic Web AppsFrontend CDN hosting None
Microsoft AzureApp ServiceRead-only content API None
Microsoft AzureSQL DatabaseCurriculum content storage None

Microsoft Azure is the sole sub-processor. No other third-party services receive any data.

Security Measures

TLS 1.2+ Encryption

All data in transit is encrypted

Transparent Data Encryption

Azure SQL data at rest is encrypted

Content Security Policy

CSP headers restrict script/resource origins

X-Frame-Options: DENY

Prevents clickjacking attacks

RBAC Access Controls

Azure role-based access to infrastructure

No External Scripts

Zero third-party JavaScript loaded

TroopToTeacher Technologies

Questions about our data architecture? Contact trooptoteacher31@gmail.com