Compliance training needs a compliant platform.
Training records are compliance evidence. SOX 404, FMCSA 49 CFR Part 380, and OSHA 1910 all require you to protect and produce them on demand. Learn.xyz is designed with SOC 2 controls in mind — AES-256 at rest, TLS 1.2+ in transit, immutable audit logs — so your InfoSec team can sign off before your first module goes live.
Talk to Our TeamAES-256
Encryption at rest
TLS 1.2+
Encryption in transit
SSO
Okta & Azure AD ready
SCIM
Provisioning included
Designed with SOC 2 controls in mind.
We build security into every layer of the platform — not as a feature to be added later, but as a design constraint from day one.
A note on certification status: Learn.xyz is designed with SOC 2 controls in mind — not currently SOC 2 audited. Operators in SOX-, FMCSA-, or HIPAA-scoped verticals requiring audited compliance should plan for the audit window in their procurement timeline.
Access Control
Role-based access control with principle of least privilege. Admin, manager, and learner roles with explicit permission scopes. Audit log for every administrative action.
Encryption
AES-256 encryption at rest for all stored data. TLS 1.2+ for all data in transit. Encryption keys managed with regular rotation schedules.
Logging & Monitoring
Comprehensive audit logging for all authentication events, data access, and administrative actions. Logs are immutable and retained per compliance requirements.
Incident Response
Documented incident response procedures with defined escalation paths. Security events are triaged within defined SLAs. Customers notified per contractual and regulatory requirements.
Your training records stay in the US.
All Learn.xyz customer data — including employee completion records, PII, and policy version archives — is stored and processed in US-based data centers. We do not transfer training records to non-US jurisdictions.
For operators with specific state-level data residency requirements, we can discuss contractual data-handling commitments during onboarding. Contact our team to discuss your specific requirements.
US data centers only
No cross-border data transfers for training records
SOC 2-audited infrastructure providers
We use infrastructure providers that maintain their own SOC 2 compliance programs
Data Processing Agreements available
DPAs included in enterprise contracts on request
Identity management without the IT ticket queue.
Connect your existing identity provider and let SCIM handle provisioning. New employees get Learn.xyz access automatically when they're added to your HRIS — and it's revoked when they leave.
Okta
SAML 2.0 and OIDC. SCIM 2.0 provisioning. Group sync for role assignment.
Azure AD
Microsoft Entra ID integration. SAML and OIDC. Automatic provisioning and deprovisioning.
Generic SAML 2.0
Works with any SAML 2.0-compliant identity provider. Configuration guide available on request.
Immutable records. Every time.
Once a completion record is written, it cannot be modified or deleted by any user — including administrators. That's not a policy setting. It's baked into the data model so that an auditor reviewing the log months later sees exactly what the employee trained against and when.
What's logged
Employee ID, module ID, policy version hash, score, timestamp, device type, IP (hashed)
What can't be changed
Records are append-only. No administrator or API call can overwrite or delete a completion record once written.
How to export
One-click CSV export from the compliance dashboard. API access for automated compliance reporting pipelines.
Questions for your InfoSec team?
We'll walk through encryption, access controls, data residency, and the audit-log model in detail. We can provide a security overview document and answer procurement questionnaires.