LearnCube Data Protection and Security Information

Service Introduction

Business Information

  • Company Name: Esplice Limited (trading as LearnCube)
  • Name: Dan O'Reilly, CTO
  • Contact Information: [email protected]

Company Profile

Service Scope Question

  • Name of application or service being provided:
    • LearnCube Online School and Virtual Classroom
  • Description of application or service:
    • LearnCube provides an all-in-one platform for education companies delivering live online classes. The software helps administrators streamline their online operations, manage staff, teachers, students, classes, content and more. Teachers that login to the platform will see only their students and classes. Students that login to the platform will find their upcoming classes on their dashboard. Teachers and students will meet in the LearnCube virtual classroom which is professional, simple-to-use and highly interactive.
  • Technology languages/platforms/stacks/components utilized in the scope of the application:
    • AWS and VueJS.

Service Hosting and tools

  • LearnCube’s service is hosted and run in the cloud.
  • All Services
    • Services for the Virtual Classroom:
      • Amazon Web Services LLC, 1200 12th Ave S, Ste 1200, Seattle, WA 98144, USA
      • PubNub Inc, 725 Folsom St, San Francisco, CA 94107, USA
      • Agora, 2804 Mission College Blvd., Santa Clara, CA, USA 95054
      • Twilio Inc.,375 Beale Street, Suite 300 San Francisco, CA 94105, USA
    • Services for the Online School
      • Mailgun Technologies Inc., 112 E Pecan St ###1135, San Antonio, TX 78205, USA
      • Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
      • Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA
      • Cloudinary, 3400 Central Expressway, Suite 110 Santa Clara, CA 95051, USA
    • For LearnCube support & payments:
      • Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
      • Intercom Inc., 55 2nd Street 4th Floor San Francisco, CA 94105, USA
      • Hubspot, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA
      • Stripe, 510 Townsend Street San Francisco, CA 94103, USA
  • Data centers/countries/geographies where LearnCube is deployed are in the European Union for Data Privacy (GDPR) reasons.

Supporting Documentation

  • Most recent Application Code Review or Penetration Testing Reports (carried out by an independent third-party) completed March 14, 2023.
  • Penetration tests follow industry-approved methodology: Performance Tests, Load tests, Stress Tests, Usability tests, Secure Source Code Analysis, Vulnerability Scanning.
  • Information Security Policies and Procedures are:
    • SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. We ensure that all data passed between the web server and browsers remain private and integral. All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. In the case of a data breach, both the Data Controller and ICO are to be notified within 72 hours.
    • All Personal Data related to a customer can be deleted within 30 days upon request. Upon request, Personal Data can be provided to customers for export in a “common” CSV file format.

Data Protection & Access Controls

Data Classification

  • LearnCube allows students to login to a platform where they can schedule classes and access a virtual classroom to participate in the lesson.
  • Types of personal data processed by the Data Processor:
    • Profile information
      • This may include the user’s first name, last name and profile image
      • This information is used to personalise the Services
    • Contact information
      • This may include the user’s email address
      • This information is used to communicate with students and teachers
    • Location and time zone information
      • This includes the user’s IP address, browser type, time zone, home-country and location
      • This information is used to improve the quality of the Services, optimising data routing, to diagnose technical issues and support class scheduling
    • Class information
      • This includes the user’s upcoming online classes, past online classes, notes, teacher ratings, student feedback
      • This information is used to report on class attendance, teacher performance, schedule classes, validate service delivery and improve the user experience.
  • Data storage model


  • Customer data encryption:
    • Encryption concept has been defined and documented in the security concept. Data in transit must be encrypted if it is classified at least "internal". Data in transit must be encrypted if it is classified at least "high" for integrity.

Data Access & Handling

  • Staff (individual contractors and full-time) that have access to customer personal and sensitive data:
    • Only LearnCube senior leadership staff will have potential access to customer data.
    • Database level access requires Multi-factor authentication (MFA) which is only assigned to 2 employees, CTO and Senior Software Developer.
  • Data backups are automatically performed daily and stored in multiple physical locations. Typically backups are stored for 30 days

Authentication - Internal

  • All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.
  • MFA is required for employees/contractors to log in to production systems.

Policies & Standards

Management Program

  • LearnCube has a dedicated information security team led by senior staff.
  • LearnCube has a formal Information Security Program (InfoSec SP) in place.
  • LearnCube follows GDPR and CCPA best practices in terms of Information security risk management program (InfoSec RMP).

Policy Execution

  • LearnCube’s information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.) but we are not ISO certified
  • There is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures.


  • All personnel are required to sign Confidentiality Agreements to protect customer information, as a condition of employment.

Acceptable Use

  • All personnel are required to sign an Acceptable Use Policy.

Proactive Security

Network and Application Security Testing

  • LearnCube tests the security of our network and applications by completing Pentests by an expert external security firm at least once per year.

Vulnerability Management/Patching

  • Our network vulnerability management processes and procedures include following GDPR and CCPA best practices and reporting to the ICO within 72 hours of a notable breach. Daniel O'Reilly is the assigned "Data Protection Officer".
  • We evaluate patches and updates for your infrastructure on a monthly, quarterly and annual basis depending on the severity and impacted application/infrastructure.
  • Critical patches are escalated and hotfixed outside of the regular release schedule.

Endpoint Security - End User

  • Employees use 2-factor authentication and Cloudflare, a "team" gateway to secure cloud endpoints).
  • WAF/Cloudflare Proxy/Internal VPN segmentation are in place to mitigate classes of web application vulnerabilities.
  • We use Cloudflare to protect against known attacks (including bot attacks and DDOS). We also have security logs for manual review of any error, indicating malicious activity or attempts including brute-force logging.

Infrastructure Security

  • LearnCube’s secrets management strategy: usage is tracked/audit logs creation date set. Staff API keys are cycled periodically.
  • Security events (authentication events, SSH session commands, privilege elevations) in production (app and infrastructure) have audit logs.
  • The production network is segmented into different zones based on security levels.
  • Only 3 staff have permission for making changes to the network configuration, normally 2/3 are involved in making any changes


  • Cryptographic frameworks used to secure a) data in transit over public networks, b) passwords, c) data at rest are SHA-256 encryption for data transfer (AWS/Cloudflare) PBKDF2 algorithm with a SHA256 hash for user passwords.
  • We use AWS and Cloudflare to manage cryptographic keys.

Security Awareness

  • Security awareness program for staff is part of our onboarding protocol, all staff with access to data complete a data protection training course.

Reactive Security


  • We have user audit logging for key infrastructure to log and alert on relevant security events. In the event of a notable security event or data breach, relevant affected parties are notified and reported to the ICO within 72 hours

Incident Response

  • In the case of a data breach both the customer and ICO are to be notified within 72 hours.
  • We have not experienced a data breach that required public notification.

Incident Communication

  • We do have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems, it depends on the level of service required by the customer.

Secure SDLC

  • Code is developed securely by cross-checking both internally and by external QA. Only Senior Developers have access to the full code base, otherwise permission is restricted to what employees need access to.
  • Developers follow best practices as outlined by OWASP. All developers are also involved with the pen test reviews.

Customer Facing Application Security


  • PBKDF2 algorithm with a SHA256 hash for user passwords, employees can not retrieve passwords (but can reset upon a verified request). SSO needs to be enabled by request and uses a 2-way verification process (validated also by customer server-side) using a time sensitive ECB-DES token.

Role-Based Access Control

  • LearnCube’s Online School has different role permissions so the customer can avoid exposing data to staff members who do not require it.

Audit Logging

  • Logs for systems and applications with access to customer data are kept for direct access to databases, staff login to the application and cloud hosting accounts.


API Management

  • Depending on the customer’s needs, we can provide API keys or customers can provide us with pre-generated keys to be used.

Internal Audits

  • We conduct internal audits (audits led by our staff) of the service annually. It involves a review of access logs and permission (or for specific access for new or leaving employees).

External Audits

  • We conduct annual penetration tests


  • In terms of IT operational, security, privacy-related standards, certifications and/or regulations, we comply with GDPR.


It's never been easier to teach online!