Security & Trust
How we protect Customer Content, Learner Data, and the running platform — and what we're still working on.
TLS 1.2+ in transit
AES-256 at rest
Bcrypt password hashing
Audit logging
No AI training on customer data
SOC 2 Type II in progress
Penetration test (annual)
Infrastructure
- Hosting: Google Cloud Platform (US regions). Hardened Compute Engine instances behind nginx with managed Let's Encrypt TLS certificates.
- Database: PostgreSQL with point-in-time recovery, daily snapshots retained for 30 days.
- Object storage: Google Cloud Storage for documents, lesson images, and certificate PDFs — bucket-level access controls, signed URLs for sensitive resources.
- Vector search: Self-hosted Qdrant instance on a private VPC for document embeddings.
Encryption
- In transit: all traffic over TLS 1.2 or higher. HSTS enabled. HTTP redirects to HTTPS at the edge.
- At rest: AES-256 encryption on GCP-managed storage and database disks. Encryption keys managed by Google Cloud KMS.
- Passwords: stored as bcrypt hashes with a strong work factor. Never logged, never returned via the API.
- BYO API keys (Twilio, Salesforce, Claude on BYO orgs) are encrypted in the database and never returned to the UI after entry.
Access control
- Per-org isolation: all queries filter by organization at the application layer. Cross-tenant data access is structurally prevented.
- Role-based access: SUPER_ADMIN (platform staff), ORG_ADMIN, ORG_TRAINER, ORG_USER (learner) — each with scoped permissions.
- Trainer scoping: trainers see only their assigned programs and the learners enrolled in them.
- Production access: restricted to a small named list, MFA enforced, all access audit-logged.
- SSO (SAML / OIDC): available on the Enterprise tier.
Sub-processors
Full list with purpose and data flow lives in the Privacy Policy. Current sub-processors:
| Vendor | Purpose | Data shared |
|---|
| Anthropic | Claude LLM (lessons, roleplay, AI assistant) | Conversation content (no retention for training) |
| Google Cloud Platform | Hosting, storage, database | All Customer Content + Learner Data |
| Stripe | Payment processing | Billing info (no card numbers on our servers) |
| Twilio | SMS messaging (when SMS features used) | Phone numbers, SMS content |
| ElevenLabs | Voice synthesis + conversational voice | Audio during active sessions only |
| Qdrant Cloud (or self-hosted) | Vector search | Document embeddings |
Customers on annual contracts can subscribe to sub-processor change notifications — email security@learnready.ai.
AI safety
- No model training on customer data. Anthropic and other LLM providers process content under contract terms that prohibit using it for model training.
- Editorial gate: AI-generated lessons, quiz questions, and roleplay characters must be reviewed and approved by a trainer before learners see them.
- Citation requirements: AI-generated quiz questions track which source document and quote support each correct answer.
- Confidence flagging: low-confidence AI outputs are surfaced to trainers for review rather than silently shipped.
Compliance and audit
- Audit log: every meaningful action (program creation, learner invite, certification issue, content edit, trainer assignment) is logged with actor, target, IP, and timestamp.
- Certification verification: public verify URLs are signed and tamper-evident. Revocation propagates immediately.
- Compliance package: on demand, generate audit-ready PDF bundles for any learner — quiz attempts, signed attestations, certificate copies, complete activity timeline.
- Proctored Exam Mode (opt-in per program): random photo captures during the exam plus a browser-event log (tab switches, copy/paste, fullscreen exits) for trainer review. No facial recognition — photos are evidence images only, deliberately avoiding BIPA / GDPR Article 9 / CCPA biometric-data scope. 90-day auto-deletion. The capstone exam carries a public "Proctored" badge on its certificate. Optional IP + browser-metadata capture for high-stakes audits, disclosed to the learner before consent.
- Data Processing Agreement: available — see DPA.
Backups and disaster recovery
- Database snapshots daily, retained 30 days, replicated across GCP availability zones.
- Object storage (documents, images, PDFs) replicated across regions.
- Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours.
- Annual disaster-recovery drills.
Incident response
If we detect or confirm a security incident affecting customer data:
- Containment and forensic investigation begin immediately
- Affected customers are notified within 72 hours via email and in-platform banner
- Post-incident report (root cause, impact, remediation) issued within 14 days
Vulnerability disclosure
If you've found a vulnerability, please tell us before disclosing publicly. Email security@learnready.ai with:
- A clear description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your name / handle for acknowledgment (optional)
We'll acknowledge receipt within 1 business day, investigate, and coordinate disclosure. We don't currently run a paid bug bounty but are happy to credit researchers publicly.
Compliance roadmap
- SOC 2 Type II — audit in progress, report expected late 2026. Pre-report security questionnaire available to enterprise prospects under NDA.
- HIPAA — not currently a covered entity or business associate. Do not upload protected health information to the platform unless an executed BAA is in place. Available on the Enterprise tier with custom contracting.
- FedRAMP / GovCloud — not on the near-term roadmap.
Security questions for procurement? Most enterprise customers have a standard security questionnaire (CAIQ, SIG, etc.). Email
security@learnready.ai and we'll turn it around — typical response time is 3-5 business days.
Get in touch
Security disclosures & questions: security@learnready.ai
General contact: /contact · support@learnready.ai