Platform Security & Trust

Security Isn’t a Feature. It’s the Foundation Everything Else Is Built On.

EdzLMS stores learner data, compliance records, assessment results, and organisational training history for thousands of users across regulated industries. We treat that responsibility seriously — with enterprise-grade encryption, infrastructure controls, data governance, and independent security testing.

AES-256 Encryption TLS 1.3 in Transit ISO 27001 Aligned GDPR Compliant 99.9% Uptime SLA Annual VAPT

Platform Security Status

All Systems Secure

Data encryption AES-256

Active

WAF + DDoS Protection

Active

Uptime (30-day)

99.98%

Last backup

2 hrs ago

Intrusion detection

No alerts

TLS certificate

Valid TLS 1.3

Four Independent Certifications

Our security posture is independently verified — not self-declared. These certifications are renewed annually and documentation is available to clients on request.

ISO 9001:2015

Quality management system. Consistent, documented service delivery across all client engagements. Audited annually by an accredited certification body.

Request Certificate →

ISO 27001:2022

Information security management system — the global standard for enterprise-grade data protection. Covers all aspects of how we handle, store, and protect client data.

Request Certificate →

GDPR Compliant

Full EU data protection compliance. Data subject rights honoured within statutory timeframes. Data Processing Agreement available for all enterprise clients.

Request DPA →

VAPT Certified

Annual penetration testing by a CERT-In empanelled security firm. Vulnerability assessment covers all platform components. Executive summary available under NDA.

Request Executive Summary →

Security Philosophy: Assume breach. Minimise damage.

Our architecture is designed around the assumption that any system can be compromised. Defence-in-depth means that even if one layer fails, multiple additional controls limit the blast radius.

Security-by-design

Security controls baked into architecture from day one — not added as a layer after the fact.

Defence-in-depth

Multiple independent security layers. WAF, RBAC, network segmentation, encryption at rest and in transit.

Zero-trust network

No implicit trust inside the network perimeter. Every request authenticated and authorised independently.

Principle of least privilege

Every role, service, and API key carries only the minimum permissions required to function.

Immutable audit logs

Write-once, tamper-evident logging of every admin action, login, and data access. 24-month retention.

Annual independent VAPT

Penetration testing by CERT-In empanelled firm. Findings remediated before certification renewal.

Encryption: At Rest and In Transit

Every byte of learner data is protected by industry-standard encryption — whether it’s sitting on a server or moving between your browser and our platform.

AES-256 At Rest

Every piece of data — learner profiles, course content, assessment results, compliance records, audit logs — encrypted using AES-256. Encryption keys stored in a Hardware Security Module (HSM), rotated on a defined schedule, with per-tenant key isolation. No plaintext data stored anywhere in the system.

TLS 1.3 In Transit

All data in transit encrypted using TLS 1.3 — the most current and secure transport protocol. HTTPS enforced across all endpoints with HSTS headers. TLS 1.0 and 1.1 explicitly rejected. Certificate pinning where applicable. SSL Labs A+ rating maintained continuously.

Access Control — Three Layers

Access to learner data, admin functions, and compliance records is controlled at multiple independent layers — not a single password.

Role-Based Access Control

Six default permission roles. Custom roles configurable per deployment. API-level enforcement — no client-side bypass possible. Admin access requires MFA.

SSO + MFA

SAML 2.0, OAuth 2.0, Azure AD, Okta, Google Workspace. MFA enforced for all admin accounts. Brute-force protection and automatic lockout after 5 failed attempts.

Tamper-Evident Audit Logs

Every admin action, data access event, and login attempt logged. Write-once, tamper-evident. 24-month retention. Exportable for compliance audits in standard formats.

Your Data Rights

We collect what is needed to operate the platform. We do not sell data. We honour all data subject rights within statutory timeframes.

What We Collect

Learner profile data, course progress, assessment results, login events, and audit trail entries necessary for platform operation and compliance reporting. No data sold to third parties. No advertising profiling.

Data Export

Full data export available within 5 business days of written request. Delivered in standard machine-readable format. No charge. Applicable to both individual learner requests and full organisational exports.

Data Deletion

Right to erasure honoured within 30 days of verified request. Written confirmation provided. Backup purge completed within defined retention window. Process documented in our DPA.

Enterprise security documentation — ready on request.

Data Processing Agreement (DPA)

Security Questionnaire Responses (InfoSec / Vendor Risk)

VAPT Executive Summary (available under NDA)

Uptime SLA & Incident Response Plan

Contact: security@edzlms.com

We welcome due diligence. Send us your security questionnaire.

Security questionnaires returned within 3–5 business days. DPA available immediately. VAPT executive summary available under NDA. Our InfoSec team is ready for your review process.

Send Security Questionnaire → Book a Security Review Call