Security

Security & Compliance at America Learns

Your data’s safety is our highest priority. We’ve built our platform—and our company—with security, privacy, and trust at the core.

Governance & Oversight

  • Security & Privacy teams manage internal policies and monitor compliance.
  • Controls are enforced consistently across the organization and reviewed regularly.
  • Risk assessments inform continuous improvement of our controls and processes.

Our Foundational Principles

  • Least Privilege: Access is granted only to those with a legitimate business need.
  • Defense-in-Depth: Layered protections are applied across all systems.
  • Consistency: Controls are applied uniformly across environments.
  • Continuous Improvement: Controls are regularly refined for better effectiveness, auditability, and lower friction.

Certifications & Compliance

  • SOC 2 Type II attestation (in progress)
  • Controls aligned with ISO 27001
  • Compliant with GDPR, CCPA, HIPAA, and PCI DSS as applicable

Data Protection

  • Data at Rest: All data is encrypted using AES-256. Sensitive data also receives field-level encryption.
  • Data in Transit: TLS 2.0+ encryption across all traffic. Certificates managed by Google Cloud Load Balancers.
  • Key & Secret Management: Keys and secrets are stored securely via GCP’s Key Management Service and Secrets Manager.

Infrastructure & Application Security

  • Hosted on Google Cloud Platform (GCP)
  • CI/CD pipelines include automated security checks
  • 24/7 monitoring, firewalling, and intrusion detection in place

Vulnerability Management

  • Static Analysis (SAST): Code tested during PRs and in real-time
  • Software Composition Analysis (SCA): Detects vulnerable dependencies
  • Malicious Dependency Scanning to prevent malware risk
  • Dynamic Analysis (DAST): Run on live apps
  • Network Vulnerability Scans are conducted regularly
  • External Attack Surface Management (EASM): Actively monitors for new external exposure

Enterprise Security

  • Endpoint Protection: Devices managed via MDM with anti-malware, disk encryption, and secure configurations enforced
  • 24/7 Endpoint Monitoring and alerting in place
  • Secure Remote Access: All internal systems are accessed via secure VPN infrastructure

Vendor Security

We assess vendor risk based on data sensitivity, production access, and brand impact. All vendors undergo risk evaluation and must meet strict security standards prior to onboarding.

Identity & Access Management

  • Access managed through Google IAM
  • Phishing-resistant authentication used wherever possible
  • Role-based provisioning with immediate deprovisioning on termination
  • Access requests require documented business justification

Security Training

  • All staff complete annual security training and sign confidentiality agreements
  • New engineers attend a secure coding best practices workshop

Incident Response

America Learns maintains a comprehensive incident response plan. If a security incident impacts your data, we’ll notify affected clients promptly and transparently in accordance with regulatory and contractual requirements.

Questions?

To learn more about our security and compliance practices or to request documentation, reach out at [email protected].