Security Policy

Security Policy for Tickbox LMS

Effective Date: 2025-04-04

At Tickbox LMS, we prioritize the security and privacy of our users. This Security Policy outlines the measures we take to protect sensitive user data, including personal information, financial transactions, and other confidential data. This policy applies to all aspects of our Learning Management System (LMS) and the handling of user information across our platform.

1. Data Protection and Privacy Commitment

We are committed to ensuring the confidentiality, integrity, and availability of all sensitive user data. We adhere to strict data protection standards and take proactive measures to prevent unauthorized access, data breaches, or data loss. We comply with relevant data protection regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI-DSS) to protect user information.

2. Encryption and Secure Data Transmission

To protect user data during transmission and storage, we implement industry-standard encryption techniques:

Encryption in Transit: All data exchanged between users and our website is encrypted using SSL/TLS (HTTPS) to ensure that data is transmitted securely and is protected from eavesdropping, tampering, and man-in-the-middle attacks.

Encryption at Rest: Sensitive data, such as passwords and financial information, is encrypted when stored on our servers. We use strong encryption algorithms (such as AES-256) to ensure that even if data is accessed by unauthorized parties, it remains unreadable.

Password Storage: User passwords are stored using bcrypt hashing, which is a one-way encryption method that prevents passwords from being exposed in the event of a breach.

3. Authentication and Access Control

We enforce strict authentication mechanisms and access control to prevent unauthorized access to user accounts and data:

Multi-Factor Authentication (MFA): We offer and encourage the use of multi-factor authentication (MFA) for all users to enhance the security of their accounts. MFA requires users to provide two or more verification methods (e.g., something they know (password) and something they have (SMS code or authentication app)) before gaining access.

Role-Based Access Control (RBAC): We implement role-based access controls to limit access to user data based on their role within the LMS (e.g., students, instructors, administrators). This ensures that sensitive data is only accessible by authorized individuals.

Session Management: We use secure session management techniques, including automatic session timeouts after periods of inactivity and secure cookie handling, to protect against session hijacking.

4. Protection Against Attacks

We employ a variety of security measures to protect against common web application vulnerabilities and attacks:

SQL Injection Prevention: We use parameterized queries (also known as prepared statements) and Laravel’s built-in Eloquent ORM to safeguard against SQL injection attacks, ensuring that user input is never directly executed as a SQL query.

Cross-Site Scripting (XSS): We sanitize all user inputs to prevent malicious code (JavaScript or HTML) from being executed in the browser, thereby protecting users from Cross-Site Scripting (XSS) attacks.

Cross-Site Request Forgery (CSRF): We protect against Cross-Site Request Forgery (CSRF) by using Laravel’s built-in CSRF protection, ensuring that requests from unauthorized sources cannot perform actions on behalf of authenticated users.

Clickjacking Protection: We implement X-Frame-Options headers to prevent our application from being embedded within iframes on malicious websites, protecting against clickjacking attacks.

Security Patches: We regularly update our Laravel framework, dependencies, and server software to apply security patches for known vulnerabilities, ensuring that our platform is always up to date.

5. Data Retention and Disposal

We retain user data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, or resolve disputes. When data is no longer required, we follow secure disposal practices:

Data Anonymization: When data is no longer needed for its original purpose, we may anonymize or pseudonymize it to retain useful data without compromising user privacy.

Data Deletion: Upon request or when no longer required, user data is securely deleted in a way that prevents recovery (e.g., using secure erasure techniques).

6. Security Monitoring and Incident Response

We continuously monitor our system for any suspicious activity or potential security incidents. Our monitoring practices include:

Intrusion Detection Systems (IDS): We use IDS tools to detect and alert us about any potential unauthorized access or abnormal activities within our system.

Logging and Audit Trails: We maintain detailed logs of system access, user activities, and other critical events. These logs help us detect suspicious behavior and respond promptly to potential security incidents.

Incident Response Plan: In the event of a security breach or data incident, we have an Incident Response Plan in place. This plan includes immediate measures to mitigate any potential harm, notification procedures to inform affected users and regulators (when required), and corrective actions to prevent future incidents.

7. Third-Party Security

We ensure that any third-party vendors, contractors, or service providers that have access to sensitive user data also adhere to strong security practices. This includes:

Third-Party Audits: We conduct regular security audits and assessments of third-party services and integrations, ensuring they meet our security requirements.

Data Processing Agreements (DPA): Where applicable, we sign Data Processing Agreements with third-party vendors to ensure that they comply with relevant privacy and security regulations, including the GDPR.

Secure Integrations: We use secure APIs and data transfer protocols when integrating third-party services (such as payment processors, learning tools, etc.), and ensure that data is always encrypted during transit.

8. User Education and Awareness

We are committed to educating our users about security best practices. We provide guidance on:

Creating Strong Passwords: We encourage users to choose strong, unique passwords and offer suggestions on how to do so.

Phishing Awareness: We regularly inform users about phishing threats and how to recognize legitimate communication from our platform.

9. Compliance with Regulations

We take the necessary steps to ensure compliance with relevant regulations and industry standards, including:

General Data Protection Regulation (GDPR): We comply with GDPR requirements, ensuring that user data is handled lawfully, transparently, and securely. Users have rights regarding their data, including access, correction, deletion, and the right to withdraw consent.

California Consumer Privacy Act (CCPA): We comply with CCPA, ensuring that California residents have the right to access, delete, and opt out of the sale of their personal data.

Payment Card Industry Data Security Standard (PCI-DSS): We comply with PCI-DSS standards for the processing, storing, and transmitting of payment information, ensuring that all financial transactions are handled securely.

Conclusion

At Tickbox LMS, we are committed to protecting the security and privacy of our users. We continuously review and improve our security measures to ensure that your data is handled with the highest level of care. We encourage users to be vigilant and take advantage of the security features we offer to safeguard their accounts and personal information.

Your privacy matters

Cookies and similar technologies are used on our sites to personalize content and ads. You can find further details and change your personal settings below. By clicking OK, or by clicking any content on our sites, you agree to the use of these cookies and similar technologies.

GDPR

When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, that blocking some types of cookies may impact your experience of the site and the services we are able to offer.

  • These cookies are necessary for our website to function properly and cannot be switched off in our systems. They are usually only set in response to actions made by you that amount to a request for services, such as setting your privacy preferences, logging in or filling in forms, or where they’re essential to providing you with a service you have requested. You cannot opt out of these cookies. You can set your browser to block or alert you about these cookies, but if you do, some parts of the site will not then work. These cookies do not store any personally identifiable information.
  • These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site, which helps us optimize your experience. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not be able to use your data in this way.
  • These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
  • These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.