Security & Compliance Overview

Effective date: 22 September  2025 | Last updated: 22 September  2025 
This onepage brief outlines the technical and organisational measures Shiminly Inc. ("Shiminly") implements to keep learner data safe, meet global standards, and maintain platform reliability. 

Table of Contents

  • Infrastructure & Hosting
  • Data Protection Measures
  • Independent Certifications
  • Testing & Monitoring
  • Incident Response
  • Security Contact & Bug Reporting

1. Infrastructure & Hosting 

Layer  Provider  Region(s)  Controls 
LMS Platform LearnWorlds  EU (Frankfurt & Cyprus)  ISO 27001certified data centres; daily encrypted backups 
Content Delivery  Cloudflare CDN  Global (incl. USA, UAE, India)  WAF, DDoS mitigation, TLS 1.3 
Payments  Stripe Payments  USA, EU, India  PCI DSS v4.0 Level 1; tokenised card data 
AI Services  Azure OpenAI  EU (Ireland)  ISO 27018; SCCs for data transfer 

 2. Data Protection Measures

  • Encryption in transit: TLS 1.2+ for all traffic.
  • Encryption at rest: AES256 for database & object storage.
  • Role-Based Access Control (RBAC): Least privilege for staff; MFA required.
  • Data localisation: Primary storage in EU; no PII stored outsidethe  EU without SCCs.
  • 72-hour breach notification commitment to regulators and affected users.

3. Independent Certifications & Accreditations 

Certification / Audit  Scope  Status 
ISO 27001:2013  LearnWorlds infrastructure  Active (renewal Mar 2027) 
PCI DSS v4.0 – Level 1  Stripe cardholder environment  ROC 2025 pass 
SOC 2 Type II  Transactional email (Postmark)  Report 2025 pass 
Cognia® Accreditation  Educational quality assurance  Accreditation ID CNGLSE0925 

4. Testing & Monitoring

  • Penetration test: Last fullscope test May 2025 – no critical findings; next scheduled May 2026.
  • Quarterly vulnerability scans using Nessus automated pipeline.
  • Uptime monitoring: Public status page at /status; target 99.9 % monthly uptime.
  • Subprocessor inventory: Live list at /subprocessors, updated quarterly. 

5. Incident Response 

  • Detect & triage (within 2 h)
  • Contain & eradicate (within 24 h)
  • Notify DPO, regulators, and affected users within 72 h if breach involves personal data.
  • Postmortem published internally within 7 days.

6. Security Contact & Bug Reporting 

  • Security team: security@shiminly.com
  • Responsible disclosure: Please email vulnerabilities with reproduction steps. We acknowledge within 48 h and may offer recognition in our Hall of Fame.

© 2025 Shiminly Inc.  All rights reserved.