Service Introduction

Business Information

Company Name: Esplice Limited (trading as LearnCube

Name: Dan O'Reilly, CTO

Contact Information: support@learncube.com 

Company Profile

Company Website URL: www.learncube.com 

Service Scope Question

Name of application or service being provided: LearnCube Online School and Virtual Classroom

 

Service Hosting and tools

LearnCube’s service is hosted and run in the cloud.

All Services:

• • Services for the Virtual Classroom:
    • Amazon Web Services LLC, 1200 12th Ave S, Ste 1200, Seattle, WA 98144, USA
    • PubNub Inc, 725 Folsom St, San Francisco, CA 94107, USA
    • Agora, 2804 Mission College Blvd., Santa Clara, CA, USA 95054
    • Twilio Inc.,375 Beale Street, Suite 300 San Francisco, CA 94105, USA
    • LiveKit, 4285 Payne Avenue Suite 9154, San Jose, CA, 95157, USA
    • Lunaweb GmbH, Nördliche Münchner Straße 47, DE-82031 Grünwald, Germany
    • OpenAI, 3180 18th Street, San Francisco, California 94110, USA
    • Wolfram Research,100 Trade Center Drive, Champaign, IL 61820 USA
      
      
  • Services for the Online School
    • Mailgun Technologies Inc., 112 E Pecan St #1135, San Antonio, TX 78205, USA
    • Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.
    • Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA
    • Cloudinary, 3400 Central Expressway, Suite 110 Santa Clara, CA 95051, USA
      
      
  • For LearnCube support & payments: 
    • Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
    • Intercom Inc., 55 2nd Street 4th Floor San Francisco, CA 94105, USA
    • Hubspot, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA
    • Stripe, 510 Townsend Street San Francisco, CA 94103, USA
      
      
• Data centers/countries/geographies where LearnCube is deployed are in the European Union for Data Privacy (GDPR) reasons.

Supporting Documentation

Third-party security assessment includes penetration testing and application code review. Most recent Application Code Review or Penetration Testing Report (carried out by an independent third-party) completed November 2025.

Penetration tests follow industry-approved methodology: Performance Tests, Load tests, Stress Tests, Usability tests, Secure Source Code Analysis, Vulnerability Scanning.

Information Security Policies and Procedures are: 

• • SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. We ensure that all data passed between the web server and browsers remain private and integral. All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash. In the case of a data breach, LearnCube will notify the Data Controller without undue delay. 
  • All Personal Data related to a customer can be deleted within 30 days upon request. Upon request, Personal Data can be provided to customers for export in a “common” CSV file format.

 

Data Protection & Access Controls

Data Classification

LearnCube allows students to login to a platform where they can schedule classes and access a virtual classroom to participate in the lesson. 

Types of personal data processed by the Data Processor:

• • Profile information
    • This may include the user’s first name, last name and profile image 
    • This information is used to personalise the Services
  • Contact information
    • This may include the user’s email address
    • This information is used to communicate with students and teachers
  • Location and time zone information
    • This includes the user’s IP address, browser type, time zone, home-country and location
    • This information is used to improve the quality of the Services, optimising data routing, to diagnose technical issues and support class scheduling
  • Class information
    • This includes the user’s upcoming online classes, past online classes, notes, teacher ratings, student feedback
    • This information is used to report on class attendance, teacher performance, schedule classes, validate service delivery and improve the user experience.
• Data storage model
  • Cloud storage using AWS (see here for more information about their data storage, physical access, power and operational support systems).

Encryption

Customer data encryption:

• • All customer data in transit is encrypted using TLS/SSL protocols. Data at rest protection is provided through AWS infrastructure security controls rather than application-layer encryption.

Data Access & Handling

Staff (individual contractors and full-time) that have access to customer personal and sensitive data:

• • Customer data access is restricted to authorized senior leadership staff.
  • Database access is restricted to essential personnel (CTO and Senior Software Developer) with mandatory multi-factor authentication, ensuring both security and operational continuity. 
• Data backups are automatically performed daily and stored in multiple physical locations. Typically backups are stored for 30 days

Authentication - Internal

All passwords are encrypted with a PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.

MFA is required for employees/contractors to log in to production systems.

 

Policies & Standards

Management Program

LearnCube has a dedicated information security team led by senior staff.

LearnCube has a formal Information Security Program (InfoSec SP) in place.

LearnCube follows GDPR and CCPA best practices in terms of Information security risk management program (InfoSec RMP).

Policy Execution

LearnCube’s information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.) but we are not ISO certified

There is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures.

Confidentiality

All personnel are required to sign Confidentiality Agreements to protect customer information, as a condition of employment.

Acceptable Use

All personnel are required to sign an Acceptable Use Policy.

 

Proactive Security

Network and Application Security Testing

LearnCube tests the security of our network and applications by completing Pentests by an expert external security firm at least once per year.

Vulnerability Management/Patching

Our network vulnerability management processes and procedures include following GDPR and CCPA best practices and reporting to the ICO within 72 hours of a notable breach. Daniel O'Reilly is the assigned "Data Protection Officer".

We evaluate patches and updates for your infrastructure on a monthly, quarterly and annual basis depending on the severity and impacted application/infrastructure.

Critical patches are escalated and hotfixed outside of the regular release schedule.

Endpoint Security - End User

Employees use 2-factor authentication and Cloudflare, a "team" gateway to secure cloud endpoints.

WAF/Cloudflare Proxy/Internal VPN segmentation are in place to mitigate classes of web application vulnerabilities.

We use Cloudflare to protect against known attacks (including bot attacks and DDOS). We also have security logs for manual review of any error, indicating malicious activity or attempts including brute-force logging.

Infrastructure Security

LearnCube's secrets management includes usage tracking and audit log monitoring for all API access. Staff API keys are cycled periodically.

Security events (authentication events, SSH session commands, privilege elevations) in production (app and infrastructure) have audit logs.

The production network is segmented into different zones based on security levels.

Network configuration changes require authorisation from designated senior staff (3 personnel) with change approval processes

Cryptography

Data in transit over public networks:

• TLS/SSL encryption using SHA-256 certificates for all web traffic 
• AWS and Cloudflare provide enterprise-grade encryption for data transmission
• All API communications use HTTPS with modern cryptographic protocols

Password security and authentication:

• PBKDF2 algorithm with SHA-256 hash for user password storage
• Passwords are never stored in plain text and cannot be retrieved by staff 
• All backend systems require multi-factor authentication for access

Data at rest protection: 

• AWS infrastructure security controls including physical security and access controls
• Network isolation through Virtual Private Cloud (VPC) segmentation
• Encryption handled at the infrastructure level by AWS security framework
• Additional protection through Cloudflare security services

Cryptographic key management: 

• AWS and Cloudflare manage cryptographic keys for encryption and SSL/TLS services
• Cloudflare handles SSL/TLS certificates with automatic rotation
• Staff API keys are periodically rotated and usage is tracked through audit logs
• All cryptographic operations follow industry best practices and compliance standards

Security Awareness

• Security awareness program for staff is part of our onboarding protocol, all staff with access to data complete a data protection training course.

 

Reactive Security

Monitoring

We have user audit logging for key infrastructure to log and alert on relevant security events. In the event of a notable security event or data breach, relevant affected parties are notified and reported to the ICO within 72 hours

Incident Response

In the case of a data breach both the customer and ICO are to be notified within 72 hours.

LearnCube maintains a strong security record with no data breaches. Our proactive security measures and monitoring help prevent incidents before they occur.

Incident Communication

We have formally defined criteria for notifying clients during incidents that might impact the security of their data or systems. Our incident communication is tailored to customer requirements and service agreements.

Secure SDLC

Code is developed securely by cross-checking both internally and by external QA. Full codebase access is limited to Senior Developers, with other staff having role-appropriate permissions.

Developers follow best practices as outlined by OWASP. All senior developers are involved with the pen test reviews.

 

Customer-Facing Application Security

Authentication

PBKDF2 algorithm with a SHA256 hash for user passwords, employees cannot retrieve passwords (but can reset upon a verified request). SSO is available upon request and uses secure authentication protocols with customer-side validation for enhanced security.

Role-Based Access Control

LearnCube’s Online School has different role permissions so the customer can avoid exposing data to staff members who do not require it.

Audit Logging

Logs for systems and applications with access to customer data are kept for direct access to databases, staff login to the application and cloud hosting accounts.

 

Compliance

API Management

Depending on the customer’s needs, we can provide API keys or customers can provide us with pre-generated keys to be used.

Internal Audits

We conduct internal audits (audits led by our staff) of the service annually. It involves a review of access logs and permission (or for specific access for new or leaving employees).

External Audits

LearnCube conducts annual third-party security assessments including penetration testing and application code review following industry-approved methodologies (Performance Tests, Load tests, Stress Tests, Usability tests, Secure Source Code Analysis, Vulnerability Scanning).

Certifications

In terms of IT operational, security, privacy-related standards, certifications and/or regulations, LearnCube's security framework aligns with industry standards including ISO-27001, NIST Cybersecurity Framework, and GDPR requirements. While not pursuing formal third-party certification currently, our policies and procedures meet these recognised standards.

 

Privacy

• LearnCube does not claim ownership rights to customer data or content.
• Our Privacy Notice/ Privacy Policy is externally available on https://www.learncube.com/privacy-policy.html