Security practices that protect your training data.

Security at IQEducate is an ongoing engineering practice, not a marketing claim. Because we host training records, quiz results, certificates, and learner data for many organizations at once, we design the product so that each organization's data stays isolated and access is controlled at every layer. This page describes the controls we actually have in place today, in plain language, so you can evaluate the product honestly rather than through vague assurances.

We deliberately keep this page modest. We do not hold SOC 2, ISO 27001, or similar certifications, and we will not imply that we do. What we can describe are the concrete technical measures that govern authentication, tenant isolation, permissions, and integrations — the things you would want to verify before trusting a training platform with your people's records.

Authentication and sessions

IQEducate uses Google OAuth for sign-in. We never ask users to create or store a password with us, which removes an entire category of credential-handling risk. Sign-in is delegated to Google, and we only receive the identity details needed to establish an account.

Once signed in, users are issued server-side sessions rather than long-lived tokens held in the browser. Session state is managed on the server so access can be governed and revoked centrally.

Per-organization data isolation

IQEducate is multi-tenant, so keeping one organization's data invisible to another is fundamental. Every tenant record carries an organization identifier, and isolation is enforced on the server for each request — not left to the interface to hide.

  • Organization scoping is checked server-side on every data request.
  • Role-based permissions determine what each member can see and do within their own organization.
  • External learners in client portals only see the content explicitly assigned or made visible to them.

Roles, permissions, and audit logging

Access inside an organization is governed by defined roles — org admin, content admin, teacher, manager, learner, and external learner — each mapped to specific permissions. When multiple roles apply, the highest applicable privilege resolves.

Administrative actions are recorded in an audit log so that changes to sensitive configuration and membership can be reviewed after the fact.

API keys, webhooks, and integrations

The REST API authenticates with API keys that are stored as SHA-256 hashes rather than in plain text, and each key is limited to scoped permissions. Outbound webhooks are signed with HMAC so receiving systems can verify that a payload genuinely came from IQEducate.

Storage and data in transit

Application data is stored in PostgreSQL, and uploaded files and generated documents such as certificates are kept in object storage with access controls. Traffic between clients and our servers is protected with TLS in transit.

Responsible disclosure

If you believe you have found a security issue in IQEducate, we want to hear about it. Security reports can be sent through the contact channel on this site. Please give us enough detail to reproduce the issue, and allow reasonable time to investigate and respond before any public disclosure. We appreciate researchers who report responsibly.

Frequently asked questions

Does IQEducate store passwords?

No. Sign-in is handled through Google OAuth, so there are no IQEducate passwords to create, reset, or leak. We only receive the identity details needed to establish an account.

Is IQEducate SOC 2 or ISO 27001 certified?

No. We do not currently hold SOC 2, ISO 27001, or similar certifications, and we will not claim otherwise. We describe our security as an engineering practice and list the concrete controls we have in place.

How is one organization's data kept separate from another's?

IQEducate is multi-tenant. Every tenant record carries an organization identifier, and that scoping is enforced on the server for every request, so members of one organization cannot access another organization's data.

How do I report a security vulnerability?

Please use the contact channel on this site to send a report. Include enough detail to reproduce the issue and allow reasonable time for us to investigate before public disclosure.

Related reading

  • Features

    Explore IQEducate features: AI course generation, quizzes with server-side grading, recurring training rules, automatic certificates, reporting, and client portals.

  • Pricing

    Straightforward training software pricing based on active learners. Start free, then choose Starter, Growth, Business, or Enterprise as your training grows.

  • Compliance Training Software

    Assign required training, schedule automatic renewals, chase overdue learners with reminders, and keep audit-ready completion records and certificates.

  • Google Workspace Training

    Training software that fits Google Workspace: Google sign-in for every learner, directory sync to import your people, and domain-based auto-join for your team.

Ready to put training on autopilot?

Create your organization, build your first course, and assign it the same day. The Free plan needs no credit card.

Start free