LearnLedger
Start free

Security

Security by architecture.

We built LearnLedger for compliance-conscious teams. Security isn't a checklist at the end, it's shaped the stack from day one.

Passkey-only authentication

No passwords anywhere. Every user signs in with a passkey, Face ID, Touch ID, Windows Hello, or a security key. Credential-stuffing and phishing drop to zero because there's nothing for an attacker to steal.

  • Modern passkey standard
  • Multiple devices per user
  • Labelled and revocable from the user's own settings
  • Secure recovery when a device is lost

Strict workspace isolation

Each workspace is strictly separated from every other. Nobody outside your organisation can see, list, or reach any of your data, this is enforced at every layer, and regularly verified with automated tests.

  • Separate data scope per workspace
  • Role-based access inside the workspace
  • Automated cross-workspace access tests

Append-only audit log

Every significant action, invites, assignments, completions, certificates, uploads, is written to a tamper-proof log. Nothing can be edited or deleted after the fact. Admins can filter and export slices for auditors.

  • Dozens of tracked event types
  • Cannot be edited or deleted
  • Role-scoped views: employees see their own, admins see the company

Private file access

Uploaded videos, documents, and certificates are never publicly addressable. Every download passes through an authorised route that checks who you are, which workspace you're in, and whether you have permission.

  • No public URLs for uploaded content
  • Per-request authorisation
  • Separate storage per workspace

Encryption in transit

TLS 1.3 end-to-end in production. Strict browser security headers on every page, your team's traffic can't be intercepted or reframed by third parties.

  • TLS 1.3 everywhere
  • HSTS preload-ready
  • Strict content security policies
  • Locked-down iframing and referrer behaviour

Session integrity

Short-lived sessions that regenerate on every sign-in. When an administrator signs in as another user for support, that fact is recorded separately so the audit trail stays honest.

  • Short session lifetimes
  • Session regeneration on sign-in
  • Impersonation is always explicitly logged

Billing data minimisation

We don't store payment cards. All card data lives at our regulated EU payment processor, LearnLedger only ever holds billing metadata needed to run the subscription.

  • No card data on our servers
  • PCI-DSS regulated processor
  • Clean, auditable invoice records

EU hosting and processors

Your data stays in the European Union. Our payment and invoicing partners are both Dutch companies, no data leaves the EU in the billing path.

  • EU-residency hosting
  • EU payment processor
  • EU invoicing and bookkeeping

Data portability

CSV exports per course and per team. Full database exports on request. No vendor lock-in, your data is yours, in formats you can actually use.

  • CSV exports on every plan
  • Public API for programmatic access
  • Full data export on request

What we don't do

Absence is a security property too.

  • No ad tracking or third-party analytics
  • No password resets, we don't store any
  • No public storage buckets
  • No ticket system email with secrets in the subject line
  • No customer logos invented for the homepage
  • No engagement-driven dark patterns
Read the Privacy Policy →

Ready for the audit conversation.

Start with a free workspace and show your compliance lead a real record.

Start free