LearnCube provides an all-in-one platform for education companies delivering live online classes. The software
helps administrators streamline their online operations, manage staff, teachers, students, classes, content and
more. Teachers that login to the platform will see only their students and classes. Students that login to the
platform will find their upcoming classes on their dashboard. Teachers and students will meet in the LearnCube
virtual classroom which is professional, simple-to-use and highly interactive.
Technology languages/platforms/stacks/components utilized in the scope of the application:
AWS and VueJS.
Service Hosting and tools
LearnCube’s service is hosted and run in the cloud.
All Services
Services for the Virtual Classroom:
Amazon Web Services LLC, 1200 12th Ave S, Ste 1200, Seattle, WA 98144, USA
PubNub Inc, 725 Folsom St, San Francisco, CA 94107, USA
Agora, 2804 Mission College Blvd., Santa Clara, CA, USA 95054
Twilio Inc.,375 Beale Street, Suite 300 San Francisco, CA 94105, USA
Services for the Online School
Mailgun Technologies Inc., 112 E Pecan St ###1135, San Antonio, TX 78205, USA
Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA
Cloudinary, 3400 Central Expressway, Suite 110 Santa Clara, CA 95051, USA
For LearnCube support & payments:
Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Intercom Inc., 55 2nd Street 4th Floor San Francisco, CA 94105, USA
Hubspot, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA
Stripe, 510 Townsend Street San Francisco, CA 94103, USA
Data centers/countries/geographies where LearnCube is deployed are in the European Union for Data Privacy (GDPR)
reasons.
Supporting Documentation
Most recent Application Code Review or Penetration Testing Reports (carried out by an independent third-party)
completed March 14, 2023.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web
server and a browser. We ensure that all data passed between the web server and browsers remain private and
integral. All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism
recommended by NIST. In the case of a data breach, both the Data Controller and ICO are to be notified within 72
hours.
All Personal Data related to a customer can be deleted within 30 days upon request. Upon request, Personal Data
can be provided to customers for export in a “common” CSV file format.
Data Protection & Access Controls
Data Classification
LearnCube allows students to login to a platform where they can schedule classes and access a virtual classroom to
participate in the lesson.
Types of personal data processed by the Data Processor:
Profile information
This may include the user’s first name, last name and profile image
This information is used to personalise the Services
Contact information
This may include the user’s email address
This information is used to communicate with students and teachers
Location and time zone information
This includes the user’s IP address, browser type, time zone, home-country and location
This information is used to improve the quality of the Services, optimising data routing, to diagnose
technical issues and support class scheduling
Class information
This includes the user’s upcoming online classes, past online classes, notes, teacher ratings, student
feedback
This information is used to report on class attendance, teacher performance, schedule classes, validate
service delivery and improve the user experience.
Encryption concept has been defined and documented in the security concept. Data in transit must be encrypted if
it is classified at least "internal". Data in transit must be encrypted if it is classified at least "high" for
integrity.
Data Access & Handling
Staff (individual contractors and full-time) that have access to customer personal and sensitive data:
Only LearnCube senior leadership staff will have potential access to customer data.
Database level access requires Multi-factor authentication (MFA) which is only assigned to 2 employees, CTO and
Senior Software Developer.
Data backups are automatically performed daily and stored in multiple physical locations. Typically backups are stored
for 30 days
Authentication - Internal
All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by
NIST.
MFA is required for employees/contractors to log in to production systems.
Policies & Standards
Management Program
LearnCube has a dedicated information security team led by senior staff.
LearnCube has a formal Information Security Program (InfoSec SP) in place.
LearnCube follows GDPR and CCPA best practices in terms of Information security risk management program (InfoSec RMP).
Policy Execution
LearnCube’s information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security
Framework, ISO-22307, CoBIT, etc.) but we are not ISO certified
There is a formal disciplinary or sanction policy established for employees who have violated security policies and
procedures.
Confidentiality
All personnel are required to sign Confidentiality Agreements to protect customer information, as a condition of
employment.
Acceptable Use
All personnel are required to sign an Acceptable Use Policy.
Proactive Security
Network and Application Security Testing
LearnCube tests the security of our network and applications by completing Pentests by an expert external security
firm at least once per year.
Vulnerability Management/Patching
Our network vulnerability management processes and procedures include following GDPR and CCPA best practices and
reporting to the ICO within 72 hours of a notable breach. Daniel O'Reilly is the assigned "Data Protection Officer".
We evaluate patches and updates for your infrastructure on a monthly, quarterly and annual basis depending on the
severity and impacted application/infrastructure.
Critical patches are escalated and hotfixed outside of the regular release schedule.
Endpoint Security - End User
Employees use 2-factor authentication and Cloudflare, a "team" gateway to secure cloud endpoints).
WAF/Cloudflare Proxy/Internal VPN segmentation are in place to mitigate classes of web application vulnerabilities.
We use Cloudflare to protect against known attacks (including bot attacks and DDOS). We also have security logs for
manual review of any error, indicating malicious activity or attempts including brute-force logging.
Infrastructure Security
LearnCube’s secrets management strategy: usage is tracked/audit logs creation date set. Staff API keys are cycled
periodically.
Security events (authentication events, SSH session commands, privilege elevations) in production (app and
infrastructure) have audit logs.
The production network is segmented into different zones based on security levels.
Only 3 staff have permission for making changes to the network configuration, normally 2/3 are involved in making any
changes
Cryptography
Cryptographic frameworks used to secure a) data in transit over public networks, b) passwords, c) data at rest are
SHA-256 encryption for data transfer (AWS/Cloudflare) PBKDF2 algorithm with a SHA256 hash for user passwords.
We use AWS and Cloudflare to manage cryptographic keys.
Security Awareness
Security awareness program for staff is part of our onboarding protocol, all staff with access to data complete a data
protection training course.
Reactive Security
Monitoring
We have user audit logging for key infrastructure to log and alert on relevant security events. In the event of a
notable security event or data breach, relevant affected parties are notified and reported to the ICO within 72 hours
Incident Response
In the case of a data breach both the customer and ICO are to be notified within 72 hours.
We have not experienced a data breach that required public notification.
Incident Communication
We do have formally defined criteria for notifying a client during an incident that might impact the security of their
data or systems, it depends on the level of service required by the customer.
Secure SDLC
Code is developed securely by cross-checking both internally and by external QA. Only Senior Developers have access to
the full code base, otherwise permission is restricted to what employees need access to.
Developers follow best practices as outlined by OWASP. All developers are also involved with the pen test reviews.
Customer Facing Application Security
Authentication
PBKDF2 algorithm with a SHA256 hash for user passwords, employees can not retrieve passwords (but can reset upon a
verified request). SSO needs to be enabled by request and uses a 2-way verification process (validated also by
customer server-side) using a time sensitive ECB-DES token.
Role-Based Access Control
LearnCube’s Online School has different role permissions so the customer can avoid exposing data to staff members who
do not require it.
Audit Logging
Logs for systems and applications with access to customer data are kept for direct access to databases, staff login to
the application and cloud hosting accounts.
Compliance
API Management
Depending on the customer’s needs, we can provide API keys or customers can provide us with pre-generated keys to be
used.
Internal Audits
We conduct internal audits (audits led by our staff) of the service annually. It involves a review of access logs and
permission (or for specific access for new or leaving employees).
External Audits
We conduct annual penetration tests
Certifications
In terms of IT operational, security, privacy-related standards, certifications and/or regulations, we comply with
GDPR.
Privacy
We do not seek a right to use or own customer derived data for your own purposes.
