top of page

LXD360 Security and Privacy Policy

Effective Date: 1 June 2025
Last Updated: 2 June 2025

LXD360 is committed to the highest standards of information security and privacy. We have implemented a comprehensive risk management program and a security governance framework (aligned with ISO/IEC 27001), and we undergo regular SOC 2 audits. These controls help protect client data, foster trust, and ensure compliance with applicable laws and regulations. Our approach encompasses secure hosting infrastructure, robust encryption, stringent access controls, a secure development lifecycle, prompt incident response, and adherence to data subject rights.

Infrastructure and Hosting Security

  • AWS Cloud (primary hosting): LXD360’s platform runs on AWS, leveraging AWS’s certified infrastructure. All data storage services (e.g., Amazon S3, RDS) offer robust encryption. AWS encrypts data at rest with AES-256 and supports key management via AWS Key Management Service (KMS) or Hardware Security Module (HSM). All AWS global network traffic, including traffic between regions or Availability Zones (AZs), is encrypted by default. We follow AWS well-architected guidance to classify data and enforce encryption for sensitive categories.

  • Wix Website (Public Site): Our public website is hosted on Wix, which offers enterprise-grade security. Wix enforces HTTPS/TLS (TLS 1.2+ with automatic SSL) for all web traffic and AES-256 encryption for data at rest. Wix maintains SOC 2 Type 2 and ISO 27001 certifications, and is compliant with GDPR and CCPA regulations. This ensures that even our website and related customer interactions are secured by industry-standard controls.

  • Physical and Network Security: AWS and Wix data centers meet rigorous industry standards (e.g., ISO, PCI-DSS) and utilize FIPS-validated hardware for key protection. We rely on their physical, environmental, and network safeguards, and additionally enforce perimeter security controls (firewalls, intrusion detection, network segmentation) within our AWS environment.

Security Standards and Compliance

LXD360 maintains a formal Information Security Management System (ISMS) that follows international best practices. We align with ISO/IEC 27001 (the global standard for information security) to manage risk and protect data confidentiality, integrity, and availability. We also adhere to the SOC 2 Trust Services criteria defined by the AICPA, implementing controls that ensure the security, availability, confidentiality, processing integrity, and privacy of client data. Together, these frameworks guide our policies and procedures (incident management, risk assessment, change control, etc.) and are validated by independent audits and certifications.

Data Encryption

  • In Transit: All network traffic to and from LXD360 systems is encrypted using industry-standard Transport Layer Security (TLS). For example, TLS (Transport Layer Security) provides authentication, confidentiality, and integrity protection for data between client and server. We use TLS 1.2 or higher (HTTPS for web traffic) to secure user sessions and API calls. This ensures that sensitive information (login credentials, course data, etc.) cannot be intercepted in transit.

  • At Rest: All sensitive data stored by LXD360 is encrypted at rest. We use AES-256-bit encryption, a government‐approved cipher, for stored data in AWS. (Wix similarly encrypts stored data with AES-256wix.com.) Encryption keys are managed securely: AWS Key Management Service (KMS) protects keys within FIPS-validated Hardware Security Modules (HSMs). Database and file-system encryption, as well as encrypted backups, ensure that data remains unintelligible without proper decryption keys.

  • Key Management: We apply the principle of least privilege to encryption keys and use strong, approved algorithms. Keys are rotated and audited in accordance with AWS and NIST guidance. By default, highly confidential data is encrypted, and access to keys is controlled via strict IAM policies.

Access Control

  • Least Privilege: Employee and contractor access is tightly restricted. We grant users only the minimum permissions needed for their role (the “least privilege” principle). For example, developers may have access to development resources but not to production data, while helpdesk staff have limited access to data to assist users. We regularly review access rights and promptly revoke access when roles change.

  • Authentication: All user accounts (including administrative and developer accounts) require strong authentication. We enforce multi-factor authentication (MFA) for system access, combining something users know (password) with something they have (a mobile OTP app or hardware token). This complies with NIST recommendations and AWS best practices, significantly reducing the risk of credential compromise. Single sign-on (SSO) with multi-factor authentication (MFA) is used for internal tools.

  • Identity and Roles: We utilize centralized identity management solutions (e.g., AWS IAM, Identity Center) to manage access to cloud resources. Service accounts and third-party integrations also follow IAM best practices (temporary credentials, role-based access). Access to source code, databases, and production systems is logged and audited.

Secure Software Development

LXD360 follows a Secure Development Lifecycle (SDLC) to build and maintain our learning platform software. Security is integrated into every phase: requirements, design, implementation, testing, and maintenance.

Key practices include:

  • Code Reviews & Testing: All code (including infrastructure-as-code) undergoes peer review and static/dynamic analysis to catch vulnerabilities early. We follow OWASP and NIST SSDF guidelines so that security considerations (input validation, authentication checks, etc.) are addressed before release. Every release is subject to automated security scans (SAST/DAST) and manual review.

  • Patching and Updates: We maintain a rigorous patch management program. Servers, libraries, and dependencies are updated with critical patches as soon as practicable. NIST emphasizes that “preventive maintenance through patch management helps prevent compromises, data breaches… and other adverse events”csrc.nist.gov. Our automated processes track available updates and test patches in a staging environment and roll them out systematically to production.

  • Dependency Management: We track third-party components (open-source libraries, containers) and promptly address vulnerabilities through upgrades. Dependency and supply-chain security tools alert us to emerging risks.

  • Incident Drills and Reviews: We periodically conduct security drills and penetration tests on our platform to identify potential vulnerabilities. Post-incident and post-release retrospectives ensure continuous improvement of our SDLC and security controls.

Incident Response and Notification

LXD360 maintains a documented Incident Response Plan (aligned with NIST SP 800‑61) to detect, analyze, and remediate security incidents. Key elements include:

  • Prompt Detection and Containment: We use monitoring and logging (AWS CloudTrail, GuardDuty, etc.) to detect anomalies. Once an incident is suspected, our response team follows predefined playbooks to contain threats and preserve evidence.

  • Internal Communication: The response team immediately notifies senior management, IT, and affected business units. Roles and responsibilities (e.g., incident commander, communication lead) are clearly defined. Staff training ensures everyone knows how to report and escalate incidents.

  • External Notification: We take data breaches seriously. If a breach affecting personal data is confirmed, LXD360 will promptly notify both impacted customers and relevant regulators. Where required by law, we follow timelines such as the GDPR’s 72-hour breach notification ruleedpb.europa.eu. For example, GDPR mandates notifying the supervisory authority “without undue delay and, where feasible, not later than 72 hours” after discoveryedpb.europa.eu. U.S. regulations (e.g., OMB M‑07-16) also require timely breach notifications to affected parties. We maintain templates and processes so that any legal obligations (state breach laws, GDPR Article 33, etc.) are met without delay.

Data Subject Rights and Privacy Laws

  • GDPR Compliance: For EU residents, LXD360 honors the General Data Protection Regulation. We empower data subjects to exercise their rights, including the right to access their personal data, rectify inaccuracies, erase data (the “right to be forgotten”), restrict processing, and port their data to another provideredpb.europa.eu. Requests (for access, deletion, etc.) are handled through our privacy team within statutory deadlines. We document and log all such requests to demonstrate accountability.

  • CCPA/CPRA (California): California consumers are afforded rights under the CCPA/CPRA. This includes the right to know what personal information we collect and how it is used, the right to request the deletion of that information, and the right to correct any inaccurate information. We provide clear “Do Not Sell” notices and respect opt‑out requests. Our policies ensure we respond to verified consumer requests in accordance with CCPA/CPRA requirements.

  • HIPAA (where applicable): For any electronic protected health information (ePHI) handled by LXD360 (e.g., training content involving health data), we implement the required safeguards under the HIPAA Security Rule. This means administrative, physical, and technical measures to protect ePHIhhs.gov. We ensure strong access controls, encryption of ePHI, audit logging, and risk assessments as mandated for covered entities and business associates.

  • Other Laws: We also monitor other relevant regulations (e.g., FERPA for education records, COPPA for children’s data, etc.) and incorporate their requirements as needed. Our Privacy Policy and data processing agreements comply with all applicable legal requirements.

Data Retention and Backup

LXD360 maintains clear data retention policies to ensure compliance with legal, regulatory, and business requirements. Personal and operational data are retained only as long as necessary, and sensitive logs (e.g., security logs) are archived per compliance requirements. We regularly review retention schedules and securely dispose of data when it is no longer needed.

We run a robust backup and recovery program. Client data and critical system snapshots are backed up frequently (daily incremental, weekly full, or as appropriate) in encrypted form. Backup integrity is verified, and restore procedures are tested regularly. As noted in security best practices, “establishing backup and recovery processes reduces the risk of data loss” and ensures data can be restored to maintain business continuity. By routinely testing our backups, we confirm that in the event of hardware failure, data corruption, or ransomware, we can recover data quickly and resume service with minimal disruption.

Continuous Improvement and Transparency

LXD360 is committed to continually improving our security posture. We conduct regular risk assessments, internal audits, and third-party audits (e.g., SOC 2, ISO 27001 recertification) to identify and remediate gaps. We also provide transparency to clients and prospects through due diligence questionnaires and third-party audit reports. Our policies are reviewed annually or whenever significant changes occur. We train employees on security and privacy awareness, fostering a culture of security at every level of our organization.

By adhering to industry standards and legal requirements, LXD360 ensures a secure and reliable environment for our platform, thereby maintaining the trust of our clients.

If you have questions about this policy or wish to give us notice of any violation, please get in touch with us at:

We will strive to respond to inquiries and complaints in a timely manner.

bottom of page