Engineered for protection. Built with layered defenses, modern cryptography, and operational excellence to keep your data safe without getting in the way of learning.
Encrypted everywhere. All connections use TLS 1.3 in transit and all data at rest is secured using military grade AES-256 encryption. Our keys use the same level of encryption as the U.S government does for top secret information. Encryption is enforced at service boundaries as well as between internal components to reduce lateral-movement risk. Administrative interfaces and secrets stores are restricted to privileged roles under least-privilege policies.
Ingress traffic is filtered before it reaches application endpoints using an enterprise-grade firewall with managed rules. Baseline and burst thresholds are profiled so volumetric anomalies are blocked without affecting normal usage. Layer-7 protections look for signature and behavioral indicators rather than simple rate spikes. Mitigation runs continuously and does not require manual warm-up to activate. Blocked traffic does not count toward usage or billable capacity.
High-value routes such as signup, authentication, and API gateways are protected by a managed bot-protection ruleset. The platform can silently challenge non-browser traffic and scripted automation without introducing visible puzzles. Detection combines request fingerprinting with anomaly heuristics to distinguish scripted replay from legitimate sessions. Rules are updated centrally so defenses evolve without application redeploys. This layer reduces credential-stuffing, fake account creation, and enumeration attempts.
The application is configured with a strict Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Policies are linted to catch weak directives and unsafe allowances before release. We target an A+ outcome on independent header scanners to verify effective coverage. Subresource integrity and controlled script sources further restrict executable surface in the browser. Header regressions are treated as release blockers on sensitive routes.
Encrypted backups run daily and are retained for seven days with redundant storage. Recovery workflows are periodically exercised to validate restore integrity and recovery point objectives. Backup artifacts are encrypted independently of primary storage and stored in separate fault domains. Operational access to backup locations is restricted and audited. We do not replicate production data into development environments.
Accounts can authenticate via Google OAuth or email/password. Two-factor verification is enforced via a one-time email code at sign-in to mitigate unauthorized access. Passwords must be at least ten characters and include upper, lower, numeric, and symbol classes. Credentials are salted and hashed using modern cryptographic algorithms and never stored in plaintext. Authentication failures and unusual patterns are logged for correlation with other security events.
Sessions use short-lived tokens with secure issuance and rotation semantics. Reset links expire on a short window to reduce replay risk, and device/session revocation is available upon logout. Sensitive routes enforce request-level rate limits keyed by account and network indicators. Protections prioritize graceful degradation over hard failures to preserve availability during spikes. Token audience, scope, and lifetime are constrained to the minimum necessary for each flow.
Features are designed with explicit threat models that include injection, broken access control, XSS, CSRF, and authentication bypass. Input validation, output encoding, parameterized queries, and strict CSP are treated as default controls rather than optional hardening. Third-party dependencies are scanned routinely, and security updates are prioritized in the release queue. Security-relevant code paths require review and must pass pre-release gates. Secrets and credentials are injected at runtime through isolated configuration, never committed to source control.
Development, preview, and production environments are isolated with separate credentials and access paths. Production data is not copied into non-production contexts. Every deployment is tracked with provenance and can be rolled back rapidly if a regression is detected. Infrastructure changes and configuration drifts are logged and subject to approval on sensitive systems. Administrative access is time-bounded and audited end-to-end.
The platform maintains telemetry for errors, latency, saturation, and unusual behavioral patterns. Authentication events, administrative actions, and policy denials are captured with sufficient detail for investigation. Dashboards surface health at the route and service level so anomalies are contextualized quickly. Alerting thresholds are tuned to reduce noise while preserving early-warning coverage. Security logs are retained according to policy and protected from tampering.
Public endpoints are scanned weekly by independent website security tools. These checks include malware and blacklist status, certificate health, HTTP header/CSP validation, and common web misconfiguration classes. Findings are triaged by severity with remediation tracked to closure in the release pipeline. Re-scans verify correctives before issues are marked resolved. External scanning complements internal reviews to provide an outside-in perspective.
AI features call Gemini via server-side, encrypted API requests—never directly from the browser. Learning conversations are retained only to support continuity, progress, and safety review. Access to AI-linked records is role-limited, logged, and periodically reviewed for appropriateness. No AI conversation data is shared with advertisers. Model-facing requests are stripped of unnecessary identifiers to minimize exposure.
On detection of a potential issue, response follows a standard sequence: isolate the affected component, apply a tested patch or mitigations, verify the fix, and deploy. Root cause analysis documents exploit vectors and contributing factors for later preventive controls. Incident artifacts are preserved for audit and post-mortem. Severity determines communication cadence and escalation paths. Lessons learned feed back into controls and developer guardrails.
We welcome good-faith research and reports. Acknowledgement is targeted within 48 hours, and critical vulnerabilities have a three-day remediation target or compensating controls when immediate patching is not feasible. Testing must not exfiltrate personal data or degrade service availability. Coordinated disclosure timelines can be arranged for complex findings. Reports can be sent to support@learnmulu.com with technical detail and reproduction steps.
We practice data minimization and process only the categories necessary to operate the service and protect users. Categories include account and identity data, learning-activity metadata, AI interaction context, technical telemetry, security event logs, billing/subscription metadata via our processor, support communications, and more. We do not collect home addresses, phone numbers, Social Security numbers, or health data. Personal data is deleted from active systems immediately after account removal; short-term encrypted backups follow fixed retention for disaster recovery. Data is shared only with essential service providers under strict agreements—never with advertisers.
Security posture evolves as threats evolve. Uptime, security reviews, and remediation are tracked internally to maintain accountability without exposing operational details. Material changes to controls or guarantees are reflected on this page. When policy thresholds or timelines are updated, the effective date will be noted. This approach keeps families informed while protecting operational security.
Questions about security, privacy, or vulnerability handling can be directed to support@learnmulu.com.
Last updated: