📞 (800) 555-2678 Sales & enrollment, Mon–Fri
BoosteLearning IT Certification Training · Live Labs
Free Trial Contact Sales
Boost eLearning

Security & Data Practices

Last updated: 2026.

Our Commitment to Security

Boost eLearning handles learner data, enterprise training records, and organizational credentials on behalf of hundreds of companies. We treat the security of that data as a core operational responsibility, not an afterthought. This page summarizes the technical and organizational measures we maintain. For details on how we collect and use your data, see our Privacy Policy.

1. Transport Security

All data transmitted between your browser (or API client) and Boost eLearning infrastructure is encrypted in transit using TLS 1.3 (with TLS 1.2 as a minimum fallback). We enforce HTTP Strict Transport Security (HSTS) with a one-year max-age and includeSubDomains, ensuring browsers always connect over HTTPS. We score A+ on independent TLS configuration audits (e.g., SSL Labs). HTTP connections are redirected to HTTPS automatically.

2. Data Hosting and Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure in data centers with SOC 2 and ISO 27001 certifications. Data is physically stored in the United States, with disaster-recovery replicas in a geographically separate region. All infrastructure runs within private networks with strict firewall rules; public-facing services are isolated from internal systems using network segmentation.

3. Encryption at Rest

All persistent data stores, including relational databases, object storage, and backup archives, are encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service (KMS) with automatic rotation. Sensitive fields (e.g., API credentials, payment-related tokens) receive additional application-layer encryption before database storage.

4. Access Controls and Authentication

Access to production systems follows the principle of least privilege:

  • All internal staff with access to production infrastructure are required to use multi-factor authentication (MFA)
  • Role-based access control (RBAC) ensures staff see only the data necessary for their job function
  • Access to customer data is logged and audited
  • Privileged access is reviewed quarterly and revoked immediately upon termination
  • Database and infrastructure access is managed through a bastion host with session recording

Learner and administrator accounts benefit from password hashing (bcrypt), MFA options, session expiry, and brute-force protection.

5. Backups and Disaster Recovery

Automated backups of all databases and course content stores are performed daily. Backups are encrypted and stored in a geographically separate region. We test backup restoration quarterly. Our Recovery Time Objective (RTO) is 4 hours and our Recovery Point Objective (RPO) is 24 hours for most production systems.

6. Vulnerability Management

  • Quarterly vulnerability scanning: automated scans of our infrastructure and application surfaces for known CVEs and misconfigurations
  • Annual penetration testing: third-party security firm conducts a comprehensive black-box and gray-box penetration test of our web application, API, and infrastructure; findings are remediated within defined SLAs based on severity
  • Dependency management: automated software composition analysis (SCA) flags outdated or vulnerable dependencies in our code; high-severity findings trigger immediate patching
  • Security patches: critical OS and application security patches are applied within 72 hours of vendor release; medium/low-severity patches follow a regular monthly cycle

7. SOC 2 Type II

Boost eLearning is currently pursuing SOC 2 Type II certification across the Trust Services Criteria of Security, Availability, and Confidentiality. Our SOC 2 audit observation period is underway. Enterprise customers requiring a current controls summary or evidence of security practices for procurement purposes may contact [email protected] to request our security questionnaire response or CAIQ (Consensus Assessments Initiative Questionnaire).

8. Incident Response

We maintain a documented Incident Response Plan (IRP) aligned to NIST SP 800-61. In the event of a security incident that involves personal data, we will:

  • Contain and investigate the incident within 24 hours of detection
  • Notify affected enterprise customers and, where required by law, relevant supervisory authorities within 72 hours of confirming a personal data breach
  • Provide a post-incident report to affected enterprise customers upon request

9. Responsible Disclosure

We welcome responsible security research. If you believe you have discovered a security vulnerability in our platform, please report it to [email protected]. Please include:

  • A clear description of the vulnerability and potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots

We commit to acknowledging your report within 2 business days, keeping you informed of our remediation progress, and not pursuing legal action against researchers who act in good faith. We ask that you avoid accessing, modifying, or exfiltrating customer data during your research.

10. Data Processing Agreements

Enterprise customers requiring a Data Processing Agreement (DPA) for GDPR, CCPA, or other compliance obligations may request one from [email protected]. Our DPA includes standard contractual clauses (SCCs) for cross-border data transfers and specifies the technical and organizational measures described on this page.

11. Employee Security Training

All Boost eLearning employees complete security awareness training at onboarding and annually thereafter. Training covers phishing recognition, data handling, password hygiene, and incident reporting procedures.