Security

Our Commitments

• Governance: A cross‑functional Security Steering Group (SSG) oversees our posture, reviews risks and KPIs at least quarterly, and reports to the Board.
• Scope: Security covers all personnel and third parties; all environments (dev/stage/prod); and all assets including apps, cloud services, data stores, networks, endpoints, CI/CD, IaC, logs, and backups.
• Identity & Access: Centralized identity with MFA by default, least‑privilege access, role‑based controls, periodic access reviews, and managed secrets.
• Data Protection: Encryption in transit and at rest, managed keys, data classification and minimization, and protected, tested backups.
• Secure Development: A secure SDLC with peer code review, automated testing and analysis (SAST/DAST/SCA), dependency hygiene, and CI/CD gating.
• Vulnerability & Patch Management: Risk‑based prioritization (industry standard scoring + business context) with tracked SLAs and time‑boxed exceptions.
• Monitoring & Incident Response: Continuous monitoring of networks, endpoints, services, and privileged activity with an established Incident Response Plan covering detection, containment, recovery, communications, and lessons learned.
• Resilience: High availability architecture, autoscaling, multi‑zone designs, tested failover and recovery, and anti‑DDoS patterns.
• Supply‑Chain Security: Risk‑based onboarding and tiering of suppliers, contractual security requirements, ongoing monitoring, and defined exit/transition steps.
• People & Training: Mandatory security awareness training for all, with role‑based training for specialized functions.

Signals & Resources

• Policy review cadence: annual (or on material change)
• Contact: security@wearelearning.io
• Assurance materials (Redacted Security Policy, SOC 2 status (currently in progress), pentest summaries): Provided under NDA upon request.