CourseCode Cloud

Security

How CourseCode Cloud handles your content, your clients' data, and access to your account. No marketing claims — just what's actually true.

Infrastructure

Content delivery via Cloudflare

Course files are stored on Cloudflare R2 and served through Cloudflare's global CDN. All traffic between learners and content is encrypted in transit via TLS. Content at rest is encrypted by default on R2.

No shared compute for course delivery

Course content is served as static files directly from the CDN. Learner content requests do not touch application servers.

Data Handling

Learner PII is not stored

CourseCode Cloud does not store learner names, email addresses, or personal identifiers. Learner identity is managed entirely by the client's LMS. We receive launch events and track completion data, not user profiles.

What we do store

We store course files, deployment metadata, license configuration, error events, and xAPI/SCORM completion records keyed to anonymous session identifiers. No data is sold or shared with third parties.

Access Control

Organization-based access

Every account belongs to an organization. Team members are granted roles (owner, member) with access scoped to that organization only. There is no cross-organization data access.

License token authentication

Each license issued to a client LMS includes a unique signed token. The Gatekeeper engine validates this token on every launch request. A revoked or expired license is blocked immediately at the API layer.

Instant license revocation

Toggling a license to revoked takes effect immediately. No caching or propagation delay — the next launch attempt from that client is blocked without waiting for a cache to expire.

Source Code and Content Ownership

Your source stays yours

Course source code lives in your own git repository. It is never stored on CourseCode servers. Only the built output (static files) is uploaded to Cloud when you choose to deploy.

You can leave at any time

Export your built course as a standard SCORM or cmi5 package from the dashboard at any time. No proprietary format lock-in.

Audit and Observability

Deployment audit trail

Every deployment promotion and rollback is recorded with a timestamp, actor, and required reason field. The full history is visible in the dashboard.

Error and launch logging

Runtime errors and learner launch events are logged per course. Organization owners can view and export this data from the dashboard.

Responsible Disclosure

Report a vulnerability

If you find a security issue, please contact us at [email protected]. We aim to respond within 2 business days and will work with you on a responsible disclosure timeline.

Have security questions?

Reach out before you sign up. We're happy to answer procurement questionnaires or discuss your organization's requirements.

[email protected]