Security Statement

Fluenco Academy takes the security of our learners’ and corporate clients’ data extremely seriously. The Services are built with security as a first-class design principle, applying industry-recognized standards and continuous monitoring. This Security Statement provides a non-technical overview of our practices.

• TLS everywhere. All traffic between users’ browsers and our infrastructure is encrypted using industry-standard 256-bit SSL/TLS (TLS 1.2 minimum, TLS 1.3 preferred). HTTPS is enforced site-wide; insecure HTTP requests are redirected.
• Encryption at rest. Persistent data is stored on managed cloud databases with disk-level encryption (AES-256) provided by our cloud infrastructure partners.
• Passwords are never stored in plain text. We use industry-standard bcrypt hashing with a per-user salt and a tuned work factor.

Our application infrastructure is hosted on enterprise-grade cloud providers that maintain robust certifications, including but not limited to SOC 2 Type II, ISO/IEC 27001, and where applicable ISO/IEC 27018 and PCI DSS. Current providers include Vercel (frontend edge delivery) and Amazon Web Services (AWS) (compute, databases, and storage). Our infrastructure-of-record evolves over time, and we may add or replace sub-processors subject to the same or higher security standards.

Network access between our services is restricted via private networking, security groups, and least-privilege IAM policies.

• Single sign-on with Google OAuth and email/password authentication are both supported. Email/password accounts enforce a minimum policy of 8 characters, including at least one letter and one digit.
• Role-based access segregates Learner, Teacher, HR, and Admin permissions both client-side and server-side.
• Session management uses HttpOnly, Secure cookies with strict expiration. Sessions are invalidated server-side on password reset or sign-out.
• Internal access to production systems is restricted to a small set of authorized personnel who require it to perform their duties. Access is granted on a need-to-know basis, audited, and revoked promptly upon role change or departure.
• Multi-factor authentication is mandatory for our administrative accounts on cloud-provider consoles and code repositories.

• We follow secure development practices: code review, dependency scanning, automated test coverage, and regression testing of authentication and authorization logic.
• Sensitive credentials (API keys, webhook secrets, SMTP passwords, database connection strings) are managed through environment variables and never committed to source control.
• Webhooks (for example, the Airtable user-invite webhook) are authenticated using shared-secret HMAC-style headers and verified at request time.
• Inputs are validated server-side using Pydantic schemas; output is rendered safely to prevent injection vulnerabilities.

• We maintain audit logs of authentication events (sign-ins, password resets, session creation), administrative actions, and webhook events.
• Application errors and resource usage are continuously monitored. Anomalies are alerted to the engineering on-call.
• Our cloud providers’ built-in DDoS protection and rate limiting reduce the impact of malicious traffic at the edge.

• Production databases are backed up automatically by our cloud provider with point-in-time recovery for a rolling window of at least 7 days, in addition to daily snapshots retained for 30 days.
• Recovery procedures are documented and tested periodically.

Before engaging a sub-processor that may handle personal data on our behalf, we evaluate its security posture, certifications, and contractual commitments. Each sub-processor signs a data-protection agreement at least as protective as the obligations Fluenco owes to its users and clients.

In the event of a confirmed security incident affecting personal data, Fluenco will:

• Investigate and contain the incident promptly;
• Notify affected corporate clients without undue delay and, where required by law (including GDPR Art. 33–34 and Article 20 of the LFPDPPP), within 72 hours of becoming aware of the breach;
• Cooperate with the relevant authorities and provide details of the impact and corrective measures.

If you believe you have discovered a security vulnerability in our Services, please email us at info@fluencoacademy.com with the subject line “Security Disclosure”. We commit to acknowledging your report within 5 business days and to working with you in good faith to remediate confirmed issues. We ask that you do not publicly disclose details of any vulnerability until we have had a reasonable opportunity to address it.

Security is an ongoing process. We regularly review and update our policies, procedures, and technical safeguards to reflect changes in the threat landscape, our customer base, and applicable regulations.