Security Isn’t a Feature. It’s the Foundation Everything Else is Built On.
EdzLMS stores learner data, compliance records, assessment results, and organisational training history for thousands of users across regulated industries. We treat that responsibility seriously — with enterprise-grade encryption, infrastructure controls, data governance, and independent security testing that we’re prepared to document for any procurement or due diligence process.
Security certifications & compliance
We are ISO and GDPR Compliant. We give no-compromoise attritude when it comes to security.
ISO 9001:2015
Quality management system — consistent service delivery
View certificate
ISO 27001:2022
Information security management — enterprise-grade data protection
View certificate
ISO 29990:2010
Learning services for non-formal education — quality standards (Application in Progress)
View certificate
GDPR Compliant
EU data protection regulation — full data subject rights supported
View statementOur security philosophy
We assume a breach is always possible. Our architecture is designed so that if one ever happened, the damage would be minimal.
Security-by-design, not security-by-afterthought. Every architectural decision at EdzLMS is made with a threat model in mind — from how we store credentials (never in plain text, always hashed with bcrypt) to how we isolate tenant data (separate encrypted stores per organisation, never co-mingled).
We follow a defence-in-depth approach — multiple independent security layers mean a failure in one does not compromise the whole. Our security posture is continuously reviewed against the OWASP Top 10, CIS benchmarks, and NIST cybersecurity framework, and independently tested through annual penetration testing by a certified third-party security firm.
- Security-by-design architecture — threat modelling from day one
- Defence-in-depth — multiple independent security layers
- Zero-trust network model — no implicit trust between components
- Principle of least privilege — users and systems get minimum necessary access
- Immutable audit logs — every action recorded and tamper-evident
- Annual independent penetration testing with remediation tracking
Encryption & data security
Your data is encrypted everywhere — at rest, in transit, and in backups.
Encryption is not a compliance checkbox for us. It is how we store and move data by default — with no unencrypted pathway for learner records or organisational data at any stage of the data lifecycle.
AES-256 Encryption at Rest
Every piece of data stored on EdzLMS — learner profiles, course content, assessment results, compliance records, uploaded files — is encrypted using AES-256, the same standard used by financial institutions and government agencies globally. Encryption keys are managed separately from the data they protect, rotated on schedule, and stored in a hardware security module (HSM).
TLS 1.3 Encryption in Transit
All data transmitted between your learners, your administrators, and EdzLMS servers is encrypted using TLS 1.3 — the latest and most secure version of the Transport Layer Security protocol. We enforce HTTPS across all endpoints with HSTS headers, reject any connection attempting to use TLS 1.0 or 1.1, and use only strong cipher suites with forward secrecy.
Hosting & infrastructure
Enterprise-grade cloud infrastructure with 99.9% uptime SLA and active DDoS protection.
EdzLMS is hosted on enterprise-grade cloud infrastructure with redundant availability zones, auto-scaling, global CDN distribution, and a Web Application Firewall that blocks threats before they reach your learners’ data.
Backup & disaster recovery
Your data is backed up every 6 hours. Recovery time tested, not assumed.
Disaster recovery is only valuable if it’s been tested. We run quarterly DR exercises against documented RTO and RPO targets — and we publish those results to clients on request.
Data lifecycle & your rights
You own your data. We hold it on your behalf. You can take it back — or delete it — any time.
Data portability and the right to deletion are not exceptions we handle reluctantly — they are built into the platform as first-class operations with documented workflows and confirmation timelines.
What data we collect
We collect only the data necessary to operate the LMS: learner profile information, learning activity records, assessment results, certificates, and system access logs. We collect no behavioural tracking data beyond what is needed to measure learning engagement. We do not sell data to third parties under any circumstance.
- Learner name, email, role, and department
- Course enrolment and completion records
- Assessment attempts, scores, and answers
- Login timestamps and session duration
- Certificates issued and download history
Data portability & export
You can export your complete organisational data at any time — learner records, completion data, certificate archives, assessment histories, and course content — in standard formats (CSV, JSON, SCORM). No lock-in. No export fees. We provide a full data export within 5 business days of a written request.
- Full learner data export in CSV / JSON on request
- Course content export in original SCORM format
- Certificate archive with verification metadata
- Assessment records with full answer history
- Delivered within 5 business days — no charge
Data deletion & right to erasure
When a learner requests erasure (GDPR Article 17) or an organisation offboards from EdzLMS, all personal data is deleted from production systems within 30 days and from encrypted backups within 90 days. We provide a written deletion confirmation. Portal-level deletion removes all organisational data, content, and learner records permanently and irreversibly.
- Individual learner erasure request: 30-day processing
- Backup purge: 90 days from deletion request
- Full portal deletion: 30 days — all data permanently removed
- Written deletion confirmation certificate provided
- Audit log of deletion actions retained for legal compliance
Access control & identity management
The right people see the right data. Everyone else sees nothing.
Identity and access management is one of the most common attack vectors. EdzLMS enforces role-based permissions, enterprise SSO, multi-factor authentication, and a complete audit trail of every privileged action.
Role-Based Access Control (RBAC)
Six default permission roles — Super Admin, Organisation Admin, Department Manager, Instructor/Faculty, Learner, and Auditor-Read-Only. Custom roles configurable per deployment. Permissions enforced at API level — no client-side only restrictions.
- →Granular permissions per module and feature
- →Department-scoped visibility — managers see only their team
- →API-level enforcement — no bypass via client manipulation
Enterprise SSO & MFA
Full enterprise SSO via SAML 2.0, OAuth 2.0, Azure Active Directory, Okta, and Google Workspace. Multi-factor authentication available for all user roles — enforced for admin accounts by default. Brute-force protection and account lockout after 5 failed attempts.
- →SAML 2.0 · OAuth 2.0 · OIDC · LDAP
- →TOTP, SMS, or hardware key MFA options
- →Session timeout configurable per role
Immutable Audit Logs
Every administrative action, data access event, login attempt, permission change, and content modification is logged with a timestamp, user ID, IP address, and action detail. Logs are write-once, tamper-evident, and retained for 24 months. Available for export for compliance audits.
- →24-month retention · write-once · tamper-evident
- →Searchable and filterable by user, action, date
- →Exportable as CSV for external SIEM integration
Vulnerability management & testing
We test our own security before attackers do.
Annual VAPT by a certified third-party firm is the minimum standard. We also run continuous automated scanning, static code analysis in every deployment pipeline, and a responsible disclosure programme for external researchers.
- Annual VAPT — full black-box and grey-box penetration test by CERT-In empanelled firm
- OWASP scanning — automated DAST scanning against OWASP Top 10 in every release
- SAST in CI/CD — static code analysis runs on every commit before deployment
- Dependency scanning — third-party libraries scanned for known CVEs daily
- Vulnerability SLAs — Critical patched within 24 hrs, High within 7 days, Medium within 30 days
- Responsible disclosure — security@edzlms.com · acknowledged within 48 hours
Enterprise trust & legal agreements
The documentation your procurement and legal teams need — ready and waiting.
Enterprise procurement processes require security documentation, legal agreements, and vendor assessments. We have all of it. We’ve done this before — and we know what your InfoSec team and legal counsel will ask for.
Data Processing Agreement (DPA)
GDPR-compliant DPA available for all enterprise customers. Defines our role as data processor, your rights as data controller, sub-processors used, and cross-border transfer safeguards. Signed on request before contract signature.
Request DPASecurity Questionnaires
Pre-filled responses to the most common vendor security questionnaires (VSQs), including SIG Lite, CAIQ, and custom enterprise formats. Most questionnaires completed and returned within 3–5 business days.
Submit questionnaireVAPT Executive Summary
The executive summary and methodology overview of our most recent VAPT report is available to enterprise clients under NDA. Includes scope, testing methodology, findings summary, and remediation status.
Request under NDAUptime SLA & Incident Response Plan
Contractual 99.9% uptime SLA with defined P1/P2/P3 response times, incident notification obligations, and service credits for SLA breaches. Incident response plan available on request for enterprise review.
Request SLA documentationReady to assess EdzLMS for your enterprise?
We welcome due diligence. Send us your security questionnaire.
Whether your InfoSec team needs a pre-filled SIG questionnaire, your legal team needs a DPA, your CISO wants the VAPT report, or your procurement committee wants a security architecture walkthrough — our security team will respond within 3 business days. No pushback. No deflection.
