Skip to content
Draco Learning LMS Healthcare Education

Security & Trust

Last updated 2026-05-20 · Draco Learning LMS

This page summarizes the security controls in place for Draco Learning LMS. For a security questionnaire response or to request a Business Associate Agreement (BAA), email damien@dracolearning.com.

Data residency

All Draco Learning LMS data — production database, file storage, backups — is hosted in the United States. No data is transferred outside the US in the normal course of operation.

Encryption

  • In transit — TLS 1.2 or higher on every HTTPS connection. HSTS enabled (1 year, includes subdomains). HTTP automatically redirects to HTTPS.
  • At rest — managed-database encryption on the production tier; encrypted off-site backups.

Authentication & access

  • bcrypt password hashing (cost factor 10).
  • Rate-limited login — 20 attempts per IP per 15 minutes, 6 per email per 15 minutes.
  • reCAPTCHA v3 on every public form (login, signup, password reset).
  • Session security — sessions regenerate on login, are HTTP-only and SameSite=Lax, and expire after 30 minutes of inactivity.
  • CSRF tokens on every state-mutating POST.
  • Activity log captures every admin write operation with before/after values, IP, and user agent. Retained 365 days by default.
Two-factor authentication for facility administrators is on the 2026 roadmap.

Application security

  • Content-Security-Policy with strict allowlist (only known origins for scripts, styles, frames).
  • HSTS, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin.
  • Cross-Origin-Opener-Policy / CORP set to same-origin.
  • Permissions-Policy blocks camera, microphone, geolocation, payment, and other sensitive APIs we don't use.
  • Parameterized SQL via PDO prepared statements throughout — no string concatenation against user input.
  • Output escaping via the canonical lms_e() helper on every user-supplied value rendered to HTML.

Payment data

We never store payment card details. All card capture, charging, and storage happens with Stripe under PCI-DSS Level 1 controls. Our database holds only the Stripe customer ID and subscription ID — opaque tokens that cannot be used to charge or display card data.

Email & PHI

Draco Learning LMS is designed to operate without PHI. Training records (who completed which course) are not PHI under HIPAA. If your facility's course content references PHI in examples, please redact before upload.

For facilities that require it, a Business Associate Agreement is available on request.

Backups & recovery

  • Daily automated backups of the production database.
  • Pre-migration backups before any destructive schema change.
  • 5-newest retention policy.
  • Backups are encrypted off-site.

Vulnerability disclosure

If you discover a security vulnerability, please email damien@dracolearning.com with the subject line "SECURITY". We will acknowledge within 24 hours and work with you on coordinated disclosure. We do not currently offer a paid bug-bounty program but will gratefully credit researchers in our changelog (with permission).

Compliance posture

  • HIPAA-aware design (no PHI stored by default; BAA available).
  • SOC 2 Type II — preparation in progress; formal audit on the 2026 roadmap.
  • ISO 27001 — under consideration as enterprise adoption grows.
If your security questionnaire requires a specific certification we don't yet hold, please reach out — we will tell you honestly whether and when we expect to obtain it.