LearnCube provides an all-in-one platform for education companies delivering live online classes. The software helps administrators streamline their online operations, manage staff, teachers, students, classes, content and more. Teachers that login to the platform will see only their students and classes. Students that login to the platform will find their upcoming classes on their dashboard. Teachers and students will meet in the LearnCube virtual classroom which is professional, simple-to-use and highly interactive.
Technology languages/platforms/stacks/components utilized in the scope of the application:
AWS and VueJS.
Service Hosting and tools
LearnCube’s service is hosted and run in the cloud.
Services for the Virtual Classroom:
Amazon Web Services LLC, 1200 12th Ave S, Ste 1200, Seattle, WA 98144, USA
PubNub Inc, 725 Folsom St, San Francisco, CA 94107, USA
Agora, 2804 Mission College Blvd., Santa Clara, CA, USA 95054
Twilio Inc.,375 Beale Street, Suite 300 San Francisco, CA 94105, USA
Services for the Online School
Mailgun Technologies Inc., 112 E Pecan St ###1135, San Antonio, TX 78205, USA
Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA
Cloudinary, 3400 Central Expressway, Suite 110 Santa Clara, CA 95051, USA
For LearnCube support & payments:
Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Intercom Inc., 55 2nd Street 4th Floor San Francisco, CA 94105, USA
Hubspot, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA
Stripe, 510 Townsend Street San Francisco, CA 94103, USA
Data centers/countries/geographies where LearnCube is deployed are in the European Union for Data Privacy (GDPR) reasons.
Most recent Application Code Review or Penetration Testing Reports (carried out by an independent third-party) completed March 14, 2023.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. We ensure that all data passed between the web server and browsers remain private and integral. All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. In the case of a data breach, both the Data Controller and ICO are to be notified within 72 hours.
All Personal Data related to a customer can be deleted within 30 days upon request. Upon request, Personal Data can be provided to customers for export in a “common” CSV file format.
Data Protection & Access Controls
LearnCube allows students to login to a platform where they can schedule classes and access a virtual classroom to participate in the lesson.
Types of personal data processed by the Data Processor:
This may include the user’s first name, last name and profile image
This information is used to personalise the Services
This may include the user’s email address
This information is used to communicate with students and teachers
Location and time zone information
This includes the user’s IP address, browser type, time zone, home-country and location
This information is used to improve the quality of the Services, optimising data routing, to diagnose technical issues and support class scheduling
This includes the user’s upcoming online classes, past online classes, notes, teacher ratings, student feedback
This information is used to report on class attendance, teacher performance, schedule classes, validate service delivery and improve the user experience.
Encryption concept has been defined and documented in the security concept. Data in transit must be encrypted if it is classified at least "internal". Data in transit must be encrypted if it is classified at least "high" for integrity.
Data Access & Handling
Staff (individual contractors and full-time) that have access to customer personal and sensitive data:
Only LearnCube senior leadership staff will have potential access to customer data.
Database level access requires Multi-factor authentication (MFA) which is only assigned to 2 employees, CTO and Senior Software Developer.
Data backups are automatically performed daily and stored in multiple physical locations. Typically backups are stored for 30 days
Authentication - Internal
All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.
MFA is required for employees/contractors to log in to production systems.
Policies & Standards
LearnCube has a dedicated information security team led by senior staff.
LearnCube has a formal Information Security Program (InfoSec SP) in place.
LearnCube follows GDPR and CCPA best practices in terms of Information security risk management program (InfoSec RMP).
LearnCube’s information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.) but we are not ISO certified
There is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures.
All personnel are required to sign Confidentiality Agreements to protect customer information, as a condition of employment.
All personnel are required to sign an Acceptable Use Policy.
Network and Application Security Testing
LearnCube tests the security of our network and applications by completing Pentests by an expert external security firm at least once per year.
Our network vulnerability management processes and procedures include following GDPR and CCPA best practices and reporting to the ICO within 72 hours of a notable breach. Daniel O'Reilly is the assigned "Data Protection Officer".
We evaluate patches and updates for your infrastructure on a monthly, quarterly and annual basis depending on the severity and impacted application/infrastructure.
Critical patches are escalated and hotfixed outside of the regular release schedule.
Endpoint Security - End User
Employees use 2-factor authentication and Cloudflare, a "team" gateway to secure cloud endpoints).
WAF/Cloudflare Proxy/Internal VPN segmentation are in place to mitigate classes of web application vulnerabilities.
We use Cloudflare to protect against known attacks (including bot attacks and DDOS). We also have security logs for manual review of any error, indicating malicious activity or attempts including brute-force logging.
LearnCube’s secrets management strategy: usage is tracked/audit logs creation date set. Staff API keys are cycled periodically.
Security events (authentication events, SSH session commands, privilege elevations) in production (app and infrastructure) have audit logs.
The production network is segmented into different zones based on security levels.
Only 3 staff have permission for making changes to the network configuration, normally 2/3 are involved in making any changes
Cryptographic frameworks used to secure a) data in transit over public networks, b) passwords, c) data at rest are SHA-256 encryption for data transfer (AWS/Cloudflare) PBKDF2 algorithm with a SHA256 hash for user passwords.
We use AWS and Cloudflare to manage cryptographic keys.
Security awareness program for staff is part of our onboarding protocol, all staff with access to data complete a data protection training course.
We have user audit logging for key infrastructure to log and alert on relevant security events. In the event of a notable security event or data breach, relevant affected parties are notified and reported to the ICO within 72 hours
In the case of a data breach both the customer and ICO are to be notified within 72 hours.
We have not experienced a data breach that required public notification.
We do have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems, it depends on the level of service required by the customer.
Code is developed securely by cross-checking both internally and by external QA. Only Senior Developers have access to the full code base, otherwise permission is restricted to what employees need access to.
Developers follow best practices as outlined by OWASP. All developers are also involved with the pen test reviews.
Customer Facing Application Security
PBKDF2 algorithm with a SHA256 hash for user passwords, employees can not retrieve passwords (but can reset upon a verified request). SSO needs to be enabled by request and uses a 2-way verification process (validated also by customer server-side) using a time sensitive ECB-DES token.
Role-Based Access Control
LearnCube’s Online School has different role permissions so the customer can avoid exposing data to staff members who do not require it.
Logs for systems and applications with access to customer data are kept for direct access to databases, staff login to the application and cloud hosting accounts.
Depending on the customer’s needs, we can provide API keys or customers can provide us with pre-generated keys to be used.
We conduct internal audits (audits led by our staff) of the service annually. It involves a review of access logs and permission (or for specific access for new or leaving employees).
We conduct annual penetration tests
In terms of IT operational, security, privacy-related standards, certifications and/or regulations, we comply with GDPR.
We do not seek a right to use or own customer derived data for your own purposes.