Built so lesson code can't hurt anyone
Interactive lessons mean running code in a child's browser. Noodlet is designed from the ground up so that code stays in a sealed sandbox โ the security boundary isn't a feature bolted on, it's the foundation everything else sits on.
A separate domain, on purpose
Lessons are served from a different registrable domain than the app your students log in to. Because of how browsers isolate origins, lesson code physically cannot read the cookies or sessions that belong to Noodlet itself.
No network access
The sandbox blocks lesson code from making network requests. It can't phone home, load trackers, exfiltrate anything, or pull in code you didn't see.
No access to student accounts
Even though a lesson runs in the browser the student is signed into, it has no path to their account, their identity, or any other lesson's data.
Untrusted by default
Whether a lesson was written by a teacher or generated by AI, Noodlet treats its code as untrusted and runs every one inside the same locked-down box.
A note for schools
Noodlet collects only what's needed to run classes and assignments. Lesson content never sees student personal data, and the sandbox isolation means one teacher's material can never interfere with another's. If your school needs specifics for a data-protection review, get in touch and we'll walk you through it.