This article is also available in:
This article describes some of the techniques and procedures that we have in place.

At Easy LMS, security of your data is our top priority. We constantly try to break our own security systems in order to identify weak points.

Software architecture

Easy LMS is built on top of our own Content Management System (CMS). This system is developed on top of the open-source Yii PHP framework. Yii uses a model-view-controller (MVC) based architecture which allows for structured, clean, and maintainable code. Yii is regarded to be solid, fast, and secure.

Yii Framework

We utilize many of Yii’s built-in security features such as data encryption, XSS prevention and data sanitization. User input data is always validated on the server, even if client-side validation is also used.


Role Authorization

We have several types of users that can access the system, as you can see in the diagram below. Per security level, each role has access to extra parts of the system and data. From the support level and up we use a type of login that differs from a client login as an extra security layer.

Frequently asked questions

Below is a list of security questions we often get.

Where are your servers located?

Easy LMS runs on an Amazon Web Services cloud, or AWS for short. The servers and databases are physically located in Frankfurt, Germany.

How do you protect my data?

We protect your data in several ways:

All data is stored in the database that is fully encrypted. This means that the data on the database can only be retrieved in specific ways.
Personal data that we ask for is stored in the database using an extra layer of encryption. This means that even if the database is compromised, an attacker would not be able to read the data without the key to decrypt it.
Passwords are stored using a highly secure hashing algorithm. Unlike with other data, it is impossible to retrieve the original password from its hash.
Passwords are never sent to anyone in any way.
All communication between the client (you) and the server goes over an encrypted connection.

Who has access to my data?

You do, at all times. We can access some of your data, for example for support purposes and invoices. We never share your data without your consent.

Who has access to the database?

Our database is reachable by authorized users only. This authorization is handled by a separate system, so no Easy LMS account has direct access to the database. This system is reachable only from within our own internal network.

Do you process and store personal data?

We only ask for data that we need, for example for billing. We store this data encrypted in our database.

Do you have a procedure in case of a data leak?

Yes. If a data leak is detected we will take action immediately to first repair the leak and disable external access. We will inform stakeholders within 48 hours of a data leak being detected.

What type of encryption do you use?

Communication goes over HTTPS (TLS 1.2).
All data is encrypted using AES-256.
Passwords are stored using bcrypt-hashing.
Personal data is stored using CBC or ECB encryption (depending on type and usage).

How do we use encryption for sensitive data?

Passwords are hashed via bcrypt
Personal data, other than email addresses, is encrypted via AES-128-CBC

Do you support Single sign-on?

Yes. You can read about which SSO methods we support in this article.

Do you have backups?

Yes we do. We make daily snapshots of our database with a retention period of 35 days.

What software platforms do you use?

Ubuntu ≥ 18.04
Alpine ≥ 3.12
Apache ≥ 2.4
PHP ≥ 8.1
MariaDB ≥ 10.4

Do you perform code reviews?

Yes, all changes of the code require a code review. A change cannot enter production without the approval of at least two developers.

What type of support do you have?

You can reach us through our website. Our support department is available from 08:30 am until 11:00 pm (CET), Monday to Friday. Our support consultants speak Dutch, English, German, French, Portuguese, and Spanish. We provide support to all other languages with the help of machine translation.

How long does it take to respond to a request?

This depends on the type of request, but typically within 48 hours. On average we answer you within 67 minutes.

Do you perform penetration tests?

We are looking into this. Some of our clients perform their own pen tests on our system and share their results. It goes without saying that any issues that arise get our immediate attention.

Can I perform a penetration test?

We invite you to do so, many of our other customers have as well. We do ask you to let us know upfront so that we know there might be some extra pressure on our servers.

How often do you update the software?

Continuously. We constantly work on improvements to the software security and new features. Whenever there is a fix for a bug or a security issue, we deploy this immediately.

How do you test your software?

We test our software both manually and automatically. Before every deployment, our system goes through several stages. One of which is the testing phase. During this phase, an automated system runs thousands of automated tests, like unit tests, functional tests, and integration tests. This makes sure that whatever changes we make to our software don't break other functionality or security measures. Even if only one test fails, the build is rejected and sent back to development to fix.

Have all employees commissioned with data processing been committed to data secrecy?

Yes, each of our employees signs a declaration that he or she will never share any information with parties that are not involved.

Do you have any hardening processes in place?

Yes, we do:

All security patches of our operating systems are installed.
We have anti-virus and anti-spyware installed on all our systems.
We have endpoint protection in place.
All login credentials, both on our workstations and in the platform, are required to be strong. We use two-factor authentication when appropriate.
We lock all PCs automatically when someone leaves his workstation.
We have a firewall in place.

How is  separation enforced between the corporate network with its credentials and  the production environment?

The credentials of the corporate network are different than those from the production environment. We don't allow access to the production environment using a form of SSO from our corporate network. So logging in on the production environment works with different credentials, which are only available to devops and sysadmins. Access logs are maintained.

How is your access and key management organized?

The CTO is in charge of access and key management and assigning authorizations. We only assign access if necessary for the job of the employee.

Are you GDPR-compliant?

The GDPR came into effect on May 25, 2018. We are pleased to confirm that Easy LMS is fully GDPR compliant. We've updated our Privacy Policy, Terms & Conditions and operations according to the GDPR. If you require a Data Processing Agreement with us, let us know and we will send you a digital document to sign. More information regarding the GDPR and what it entails can be found here.

Was this article helpful?
Thank you!