Security Overview

Hosting & infrastructure

• Primary hosting is provided via AWS (regions: [Global]).
• Content delivery may use a CDN (e.g., CloudFront) with global edge locations; origins remain in the configured region(s).
• Environment separation is used for development, staging, and production where applicable.

Access control

• Access is restricted by role and least privilege (RBAC), with administrative access limited to authorised personnel.
• Authentication may be enforced via SSO / identity provider (e.g., Cognito) where configured.
• Secrets are managed using secure storage and are not intended to be hardcoded in source code.

Encryption

• Encryption in transit: TLS/HTTPS for web and API traffic.
• Encryption at rest: enabled where supported by underlying storage services (e.g., managed storage encryption).

Logging & monitoring

• Operational logging and monitoring are used to support reliability, troubleshooting, and security investigations.
• Access to logs is restricted and audited where available.
• Leanr aims to minimise sensitive data in logs and supports redaction/configuration where applicable.

Vulnerability management

• Leanr follows a patching and dependency update process appropriate to the platform’s risk profile.
• Security issues may be prioritised and remediated based on severity and exploitability.

Incident response

• Leanr maintains an incident response process to triage, investigate, contain, and remediate security incidents.
• Where Leanr acts as a processor, customer notification is handled consistent with contractual and legal obligations.

Data protection

• Leanr supports Data Processing Addendum (DPA) terms for processor obligations.
• Subprocessors are disclosed here: /legal/subprocessors.

Customer responsibilities

• Customer is responsible for the security of credentials, user access management, and lawful configuration of campaign and consent settings.
• Customer should review and approve outputs (including AI-assisted outputs) before use in live media.