Platform privacy and security FAQ

CYPHER Learning handles regulatory and compliance monitoring through a combination of internal controls, third-party audits, and continuous system monitoring:

• Certifications: SOC 2 Type 2 certified and TX-RAMP Level 1 (conditional) Fast Track accepted.
• Data protection: Compliant with GDPR, CCPA, FERPA, HIPAA, PCI-DSS and other major regulations.
• Monitoring: Uses AWS GuardDuty, DataDog, and internal audit logs for continuous compliance oversight.
• Accessibility: WCAG 2.1 AA compliance is in place, with WCAG 2.2 AA and EAA compliance is in progress.
• Policies: Maintains strict internal policies for data access, encryption, and incident response.
• Support: Compliance requests (e.g., data subject rights, audit inquiries) are managed through dedicated support channels.

CYPHER Learning proactively monitors regulatory changes through dedicated compliance and legal teams. When new laws arise:

• Impact assessments are conducted to evaluate platform and policy changes.
• Product updates are implemented to meet new data handling or privacy requirements (e.g., new user rights, consent flows).
• Policies and documentation are updated accordingly (e.g., DPA, Privacy Policy).
• Customer communication and support is provided to guide organizations through necessary actions.
• Continuous monitoring tools and third-party audits ensure ongoing compliance.

Yes, CYPHER Learning is fully compliant with EU restrictions and requirements on the storage, maintenance, and usage of employee data. We ensure compliance with the following:

• Data Sovereignty: We host data in regional AWS data centers (e.g., Frankfurt for the EU, Virginia for the US, Sydney for APAC), ensuring data is stored within the designated jurisdictions as required.
• GDPR Compliance: We fully align with GDPR regulations, which govern the processing and storage of personal data for individuals within the EU. This includes adhering to data subject rights such as access, correction, and deletion.
• Data Processing Agreement (DPA): We have a robust DPA in place, ensuring proper safeguards for personal data in line with GDPR and other relevant laws.
• EU-US Privacy Shield: CYPHER Learning complies with the EU-US Privacy Shield framework, which ensures that personal data transferred from the EU to the United States is handled with adequate protection and privacy safeguards.
• SOC 2 Controls: We maintain SOC 2 compliance, which includes strong security, availability, and confidentiality practices for managing customer data.

In addition, we cooperate with EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) to investigate unresolved complaints, further ensuring compliance with EU data protection regulations.

CYPHER Learning adheres to leading privacy, risk management, and cybersecurity frameworks, including:

• SOC 2 Type 2
• GDPR, CCPA, FERPA, PCI-DSS, and HIPAA (as applicable)
• TX-RAMP Level 1 (Conditional Acceptance)

Data is hosted regionally (U.S., EU, APAC), and cross-border data transfers are handled using Standard Contractual Clauses (SCCs) and other recognized safeguards. All data is encrypted, access is role-based, and continuous monitoring ensures secure, compliant operations globally.

Yes. CYPHER Learning complies with applicable domestic and international regulations. While EU Safe Harbor has been replaced by Privacy Shield, CYPHER aligns with current cross-border data transfer frameworks and privacy laws.

CYPHER Learning provides granular auditing capabilities that include:

• User activity logs: Login attempts, course enrollments, assignment submissions, etc.
• Admin actions: Changes to settings, user roles, and custom fields
• Content changes: Course edits, deletions, and versioning
• SSO and API usage logs: Authentication events and API access tracking

CYPHER Learning uses automated security scanning tools to check for vulnerabilities in both custom code and third-party components:

• Static Application Security Testing tools scan code for common vulnerabilities
• Dependency scanners
• AWS Inspectors are used for vulnerability assessment and threat detection
• DataDog monitors runtime behaviors for anomalies

CYPHER Learning uses vetted third-party service providers (e.g., AWS for hosting). Controls in place include:

• Vendor due diligence and screening before engagement
• Data Processing Agreements (DPAs) with strict privacy and security terms
• Access controls and role restrictions, ensuring least-privilege access
• Regular audits and monitoring of third-party activities
• SOC 2 controls and TX-RAMP compliance for secure vendor management

Data in the CYPHER Learning platform is backed up automatically:

• Daily full database snapshots with a 7-day rolling window
• Redundant storage across multiple availability zones (Multi-AZ) for high availability
• Point-in-time recovery supported via AWS RDS with records maintained for up to 1 year
• File storage (e.g., uploads) is backed up using versioned and replicated S3 buckets

CYPHER Learning classifies sensitive data based on standard privacy and security frameworks such as GDPR, CCPA, PCI-DSS, and SOC 2. The classifications include:

• Personally Identifiable Information (PII): Names, emails, usernames, IP addresses
• Educational Records: Score, assessments, and course enrollments (FERPA-protected)
• Authentication Data: Passwords, SSO tokens
• Financial Data (if applicable): Payment details for e-commerce features

Sensitive data is identified through schema-level tagging, field-level access controls, and automated monitoring tools. These are tracked via audit logs, database schemas, and compliance reporting tools to ensure appropriate handling and visibility.

Yes. All data is handled according to the same high-security standards and compliance, however if a customer requires additional security for certain data points, additional protections can be added at the tenant level.

In the CYPHER Learning platform, sensitive data is not transferred to test environments by default. When test environments require real data, data anonymization and scrambling techniques are applied, such as:

• Replacing user names and emails with dummy values
• Masking or hashing personally identifiable information (PII)
• Obfuscating content and comments to preserve format but remove meaning

CYPHER Learning implements multiple safeguards against abuse and malicious actors, including:

• Rate limiting on APIs to prevent abuse
• Multi-factor authentication (MFA) and strong password policies, including support for authenticator applications
• Role-based access controls (RBAC) for data and feature permissions
• IP whitelisting and VPN isolation for system access
• Regular vulnerability scans, penetration testing, and malware scanning
• Security incident response plan and real-time threat detection via AWS GuardDuty and other tools

Data can be exchanged through multiple secure interface methods:

• RESTful APIs: Primary method for data exchange; supports user, course, enrollment, grade, and report data. Secured via HTTPS, API keys, and rate limiting.
• Webhooks: For real-time event-based data sharing (e.g., new user or enrollment).
• CSV Imports/Exports: For bulk data operations (e.g., user uploads), via secure admin access.
• SSO/SAML Attributes: Used for identity-related data exchange during authentication.
• Integration platforms (Zapier, Workato): Enables connection with third-party apps via secure automation flows.

No SOAP APIs are currently exposed. All interfaces are secured with TLS encryption, RBAC, and monitored for integrity.

CYPHER Learning has no special firewall or network constraints beyond standard internet access. Communication to, from, and within the platform is secured through:

• HTTPS (TLS encryption) for all data in transit
• Firewall protections and network isolation within AWS using VPCs and security groups
• Role-based access controls (RBAC) and IP whitelisting (optional)
• Monitoring tools like AWS GuardDuty and CloudWatch to detect and respond to suspicious activity

CYPHER Learning takes a comprehensive, defense-in-depth approach to data encryption and security across all layers of our infrastructure.

Data in Transit is secured using TLS 1.2 or higher, ensuring end-to-end encryption as information moves between systems. This includes communications between users and the application, API traffic, and internal system connections—safeguarding sensitive information from interception or tampering.

Data at Rest is encrypted using AES encryption standards, fully compliant with FIPS 140-2 requirements. This protects stored data across application servers, job servers, and storage layers. Each disk is encrypted and hosted behind firewalls that restrict traffic to essential services only. Our platform’s architecture is distributed across multiple availability zones, adding resiliency and continuity even in the case of localized outages.

Edge-level security is enhanced through the use of content delivery networks like AWS CloudFront and Azure FrontDoor, enabling secure and optimized access to global users. These services enforce HTTPS at the edge with custom SSL certificates per customer.

Encryption key management is handled via AWS Secrets Manager and Azure Key Vault, ensuring secure storage and strict access controls for encryption keys, passwords, and credentials. Keys are rotated according to cloud provider best practices and can be managed on demand. No credentials are stored in source code.

Our architecture also includes:

• Containerized deployment (moving toward Kubernetes) for better isolation and control.
• Encrypted background job processing distributed across availability zones.
• Use of MySQL 8 with Multi-AZ and read replicas for high performance and secure availability.
• Secure object storage with AWS S3 and Azure Blob Storage for uploaded and generated files.
• Encrypted search indexing via AWS ElasticSearch and Azure Search Service.
• Centralized, monitored email delivery through AWS SES with optional custom SMTP support.

This holistic encryption and infrastructure strategy ensures that customer data is always protected—whether it’s being transferred, stored, processed, or cached—giving enterprise clients full confidence in our platform’s security and resilience.

CYPHER Learning ensures secure handling of credentials, updates, and deployments by following best practices for security and efficiency.

Credential Handling: All credentials to access internal infrastructure, including passwords, API keys, SSH keys, and other sensitive information, are securely stored in AWS Secrets Manager or Azure Key Vault. This approach prevents any credentials from being stored in source code, reducing the risk of unauthorized access.

Credential Updates: We automate credential rotation within AWS Secrets Manager and Azure Key Vault, ensuring that keys are regularly updated without manual intervention. Once updated, credentials are securely propagated to the relevant systems, and all changes are logged for audit and compliance purposes.

Deployment Process: CYPHER Learning utilizes a secure and automated deployment process through Capistrano for application deployment, with GitHub managing the codebase. We have containerized our application and, as of June 2023, are migrating to Kubernetes with a full CI/CD pipeline for continuous deployment. This pipeline ensures that credentials are securely injected at runtime, without exposing them during the deployment process.

Security of Application Servers and Services:

• Application Servers: Our application servers, distributed across multiple availability zones, are protected by firewalls restricting traffic to essential services. Each server's disk is encrypted for added security.
• Job Servers: Background jobs are processed by encrypted job servers distributed across availability zones, with access restricted to necessary services.

Data Storage and Security:

• Redis Cache: We utilize Amazon ElastiCache for cached data storage, enhancing performance and maintaining high availability.
• MySQL Database Cluster: MySQL 8 powers our database, with Multi-AZ and Read Replica configurations to ensure high performance and availability.
• File Storage: AWS S3 and Azure Blob Storage are used for securely storing user-uploaded files, with additional security provided by serverless Lambda processes.

Search and Content Delivery:

• Search: AWS ElasticSearch and Azure Search Service are employed to quickly index and retrieve data, reducing the load on primary databases.
• Content Delivery: AWS CloudFront and Azure FrontDoor manage global content delivery, ensuring users receive content from the fastest data center, secured with custom SSL certificates.

DNS and Email Services:

• DNS: Amazon Route 53 and Azure DNS ensure highly available and geographically distributed DNS hosting for fast and reliable domain resolution.
• Email Delivery: AWS SES is used to manage email delivery, providing centralized monitoring and compliance features, with options for custom SMTP configurations.

CYPHER Learning data centers are hosted on AWS, which provides enterprise-grade physical and operational security. Key measures include:

• Staff Screening & Access: AWS data center personnel undergo rigorous background checks, and physical access is restricted via biometric and badge-based controls.
• Monitoring: Both proactive (real-time threat detection via AWS GuardDuty) and reactive monitoring are in place. Infrastructure is also monitored using DataDog and AWS CloudWatch.
• Bulk Restrictions: IP whitelisting and access control policies prevent unauthorized bulk access.
• Intrusion Detection & Alerting: Automated threat detection tools (e.g., GuardDuty, Inspector) trigger alerts and log incidents for review and response.

Yes. The security and monitoring systems for CYPHER Learning's data centers are primarily provided by third-party services, notably AWS, which handles physical security, threat detection, and infrastructure monitoring.

CYPHER Learning relies on AWS data centers, which maintain Tier 3+ physical and environmental controls, including:

• 24/7 surveillance, biometric access, and mantraps
• Fire detection and suppression systems
• Redundant power (UPS, generators) and cooling systems
• Geographic diversity with regional hosting in North Virginia (USA), Frankfurt (EU), and Sydney (AU)

These controls meet global compliance standards like SOC 2, ISO 27001, and FIPS 140-2. All physical infrastructure is managed exclusively by AWS.

CYPHER Learning employs robust auditing and penetration testing practices:

• Penetration Testing: Conducted by third-party experts at least annually, covering application, API, and infrastructure layers.
• Log Monitoring: Logs include system events, user activity, API calls, authentication events, and error logs. These are reviewed via AWS CloudWatch, DataDog.
• Review Frequency: Security logs are monitored in real-time with periodic review by the security team, and alerts are triggered on anomalies.
• Audit & Remediation: Our last SOC 2 Type 2 audit (Sept–Nov 2023) identified minor issues (e.g., access control logging), which were promptly remediated through tightened RBAC policies and updated logging configurations.

Security reviews and audits are part of our continuous compliance and risk management strategy.

Clients using CYPHER Learning have the ability to:

• Inspect and monitor user activity via reporting logs (e.g., logins, course activity, admin actions)
• Export reports for compliance tracking and historical reviews
• Integrate via API
• Customize role-based access to limit or expand visibility into system actions
• Request audit logs or access reports through support or data request channels

No. CYPHER Learning has not experienced any known security breaches within the last 5 years. The company maintains rigorous security practices, including SOC 2 Type 2 compliance, regular penetration testing, continuous monitoring, and incident response protocols to prevent and detect potential threats proactively.

In the event of a security breach, CYPHER Learning follows a formal Incident Response Plan, which includes:

• Immediate containment and assessment of the breach
• Customer notification within 72 hours of confirmed breach discovery, per GDPR and industry best practices
• Direct communication via email and account representatives
• Ongoing updates as investigation and remediation progress

CYPHER Learning enforces data quality through:

• Field validations for formats and required inputs (e.g., email, names)
• Dropdowns and pick lists to standardize entries
• CSV/API upload checks to ensure data integrity before importing
• API schema validation for data type and structure
• Role-based permissions to limit who can modify key data
• AI Crosscheck during course creation to ensure content accuracy and flag inconsistencies
• xAPI Dictionary standardization customizable by administrator to standardize data usage

CYPHER Learning proactively monitors regulatory changes through dedicated compliance and legal teams. When new laws arise:

• Impact assessments are conducted to evaluate platform and policy changes.

The platform is fully web-based and designed to be compatible with modern, standards-compliant browsers to ensure optimal performance and security. CYPHER Learning supports and is certified against the following browser versions:

• Google Chrome (latest two stable versions)
• Mozilla Firefox (latest two stable versions)
• Microsoft Edge (latest two stable versions)
• Apple Safari (latest two stable versions on macOS)

CYPHER Learning follows a structured certification process for new browser versions:

1. Monitoring Releases: New browser version releases are tracked for major browsers (Chrome, Firefox, Edge, Safari)
2. Automated Testing: Core platform functionality is tested using automated test suites on the latest browser versions
3. Manual QA: Key workflows (e.g., login, course access, admin tasks) are validated manually in staging environments
4. Issue Resolution: Any incompatibilities or UI issues are resolved before certification
5. Approval & Support: Once verified, the browser version is added to the supported list and monitored for ongoing performance

Yes. CYPHER Learning provides limited backward compatibility with older browser versions, focusing on maintaining functionality for the last two stable versions of major browsers (Chrome, Firefox, Edge, Safari). While basic access may still work on older versions, full functionality and support are not guaranteed, and users are encouraged to use up-to-date browsers for optimal performance and security. Additional versions may be supported for longer periods to support transitions when required.

Yes. The CYPHER Learning platform operates over HTTPS on port 443 for all browser and API communications.

Yes. JavaScript must be enabled to use the CYPHER Learning platform. JavaScript is essential for core functionality, including navigation, interactive elements, and dynamic content rendering across the user interface. Additionally, xAPI content that is played requires JavaScript as part of the content package requirements.

Customers connect to the CYPHER Learning platform via a secure web browser or mobile application over HTTPS. Access is provided through a unique or branded URL. Authentication is handled via standard login, SSO (e.g., SAML, LDAP, Google, Microsoft), or integrated identity providers.

CYPHER Learning implements Role-Based Access Control (RBAC), assigning users roles like admin, instructor, or learner, each with specific permissions. Roles define what users can see and do within the platform. Admins can also create custom roles with fine-grained control, ensuring users only access what they’re authorized to.

Auditability by user ID is managed internally by CYPHER Learning DevOps and Support teams. Detailed logs track user actions and are tied to specific user IDs, but these logs are not directly accessible by clients. Clients can request access to relevant audit data through support channels for compliance or investigation purposes.

Yes. CYPHER Learning allows local system administrators to create, copy, edit, and delete custom role types directly within the platform — independent of any HR system. However, periodic recertification and approval workflows are not built-in and would need to be managed externally or through organizational policy.

Yes. CYPHER Learning can automatically assign or reassign roles in bulk using employee or organizational data via:

• CSV imports
• API calls
• SSO attribute mapping (e.g., from Okta or Azure AD)