learn-co.de

Security Statement

LEARN-CO.DE LTD ("learn-co.de", "we", "us", "our")

Version 1.0 — Effective 22 June 2026

We know schools are trusting us with children's data, and we take that seriously. This statement summarises the technical and organisational measures we use to keep data secure. It supports our Data Processing Agreement and Privacy Policy.

Tenant isolation

Each school's data is isolated by school (schoolId). A user from one school cannot access another school's data. Access checks are enforced server-side (in our database security rules), not merely in the user interface.

Access control

  • Role-based access: users are admins, teachers, or students.
  • Students can access only their own records and the classes they belong to.
  • Teachers can access only their own school's data.
  • No client-side privilege: roles, school identifiers, and trust-related values cannot be set by the user's browser. These are controlled and validated on the server side, so a user cannot grant themselves a different role or access another school.

Encryption

Data is encrypted in transit (TLS/HTTPS) and at rest, using the encryption provided by our infrastructure providers (Google Firebase/Firestore and Fly.io).

Least-privilege operations

  • Our staff operate on a least-privilege basis. Access to production systems and data is restricted to those who need it, used only for support and operations, and logged.
  • We do not use production personal data in test or development environments.

Logging and monitoring

Significant administrative actions are logged to a reasonable and proportionate extent, supporting accountability and incident investigation.

Backups and recovery

We maintain regular backups and a documented recovery process, so data can be restored in the event of a failure. Backups are subject to the same access controls and are deleted on our standard rotation following deletion of live data.

Account security and authentication

  • Verified email required: every account must confirm ownership of its email address before it can be used — an unverified account cannot access the Service.
  • Users set their own passwords: teachers never set or see pupil passwords. Each user sets their own password via a secure, single-use, time-limited link sent to their verified email, so there are no shared or staff-known credentials.
  • Password handling: authentication is managed by Firebase Authentication; passwords are stored only in hashed form by the provider and are never visible to us in plaintext. School single sign-on (SSO) is also supported.

Email authentication (anti-spoofing)

Our sending domain is protected with SPF, DKIM and DMARC, so the verification and password emails we send can be trusted as genuinely from us, and our domain is protected against spoofing in phishing attempts.

Vendor security

We use a small number of reputable sub-processors (see our Sub-processor List), each bound by data-protection and security obligations consistent with our own.

Breach response

If a personal data breach occurs, we will notify the affected school without undue delay, and provide the information the school needs to meet its own obligations.

Continuous improvement

We review and improve our security measures over time. We are working towards recognised certification appropriate to an EdTech supplier (for example Cyber Essentials), in line with what schools and Department for Education procurement increasingly expect. [Update this section as certifications are achieved.]

Reporting a vulnerability

If you believe you have found a security vulnerability, please contact us at security@learn-co.de (or privacy@learn-co.de) with details, and allow us a reasonable time to investigate and respond before public disclosure.

Version 1.0 — Effective 22 June 2026 · Use “Download PDF” above to save a copy.