Security Overview

Learning Commons security principles

Learning Commons exists to build public AI infrastructure that connects how students learn to the tools they learn with — grounded in learning science, aligned to academic standards, and designed for the common good. The Services reflect that mission: a self-serve platform for Build Partners to access open, machine-ready datasets, APIs, documentation, and tools — including our Knowledge Graph and Evaluators — to develop and integrate AI-powered education tools responsibly. 

Learning Commons is grounded in a commitment to the privacy, safety, and trust of the educators and learners we serve. These values are embedded in our design, development, and operational processes. We have outlined our commitments to users, partners, and school districts in our Privacy Policy, Terms of Use, Community Guidelines, and Responsible AI Practices, all available at learningcommons.org.

Our information security program maintains rigorous controls designed to protect your data. We continuously evaluate our policies and practices to stay aligned with the latest industry standards 

We do not display third-party advertisements on our platform. We do not sell or rent users’ personal information, and we never will.

For security questions or concerns, please contact us at: security@learningcommons.org

Infrastructure security

Encryption at Rest and In Transit

All access to Learning Commons services occurs over encrypted connections using HTTPS (HTTP over TLS), which encrypts data before it leaves our servers and protects it in transit over the internet. We enforce HTTP Strict Transport Security (HSTS) to ensure all pages are loaded exclusively over HTTPS. All personally identifiable information stored on our systems is encrypted at rest using AES-256 or stronger modern encryption algorithms.

Network Security

Learning Commons infrastructure is hosted on Amazon Web Services (AWS), which undergoes rigorous, ongoing security assessments from external audit firms to ensure compliance with standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA.

Network access to Learning Commons infrastructure is strictly controlled. AWS-hosted resources reside in a dedicated Virtual Private Cloud (VPC) configured to allow only authorized traffic over approved ports. Development infrastructure is maintained in a separate VPC, isolated from production environments. We leverage built-in AWS services, including AWS GuardDuty, to continuously monitor for suspicious activity.

Patching

We use automated monitoring to track available patches, system updates, and security fixes across our infrastructure. Our engineering and security teams regularly review and apply updates to keep the Learning Commons platform current. For critical security updates, on-call rotation schedules ensure a designated point of contact is available to respond immediately.

Access Management

Access to Learning Commons infrastructure is strictly limited to individuals who require it to perform their roles — including engineers, data scientists, product managers, and support staff. All infrastructure access requires strong passwords and multi-factor authentication (MFA). Access activities are logged and subject to ongoing review.

Backups

Learning Commons maintains a data backup and recovery capability designed to enable timely restoration of services with minimal data loss in the event of a catastrophic failure. All backups are encrypted and stored in a geographically separate region from production databases.

Physical Security

Learning Commons is hosted on AWS infrastructure, which employs industry-leading physical security measures, including 24/7 on-site security personnel, video surveillance, and perimeter intrusion detection systems. These controls are regularly audited by independent third parties. Additional details are available on AWS’s compliance documentation.

Application security

Secure Software Development Lifecycle

Privacy and security are foundational considerations in the design and development of all Learning Commons products. We employ both manual and automated processes to identify and address potential vulnerabilities throughout the software development lifecycle. These include:

• Mandatory peer code review for all changes prior to deployment
• Automated source code and dependency scanning
• Periodic security reviews conducted by independent external experts
• A Vulnerability Disclosure Program allowing security researchers to report issues responsibly

If you suspect or discover a security vulnerability in any Learning Commons product, please contact us immediately at: security@learningcommons.org

Authentication

Learning Commons supports Single Sign-On (SSO) via Google and GitHub, as well as traditional email and password login. With SSO, user credentials are managed entirely by their respective institutions. All Learning Commons staff are required to use SSO with strong passwords and multi-factor authentication.

Access Control

Learning Commons enforces strong, role-based access control at both the data model and authorization layer. Users can only access data they are authorized to view or interact with based on their role. Staff access to user data is governed by strict access control policies that limit visibility to only what is reasonably necessary to perform job functions. All access is logged, and logs are protected to maintain their integrity.

MCP Server and API Security

Learning Commons provides Model Context Protocol (MCP) server integrations that enable large language model (LLM) providers and developer tools to access our Knowledge Graph and related educational resources. Our MCP integrations are designed with minimal data collection principles:

• We collect only the minimal data necessary to fulfill API requests — typically parameters from user queries, not full prompt contents.
• We do not store LLM-generated outputs unless explicitly provided by the developer via an opt-in mechanism.
• In the unlikely event that personal data is inadvertently transmitted, we apply minimization, retention limits, and encryption to protect that data.
• API credentials and access events are logged for security monitoring and debugging purposes.

Developers using our Software Developer Kit (SDK) should be aware that the SDK collects limited usage and performance telemetry by default (e.g., latency, token usage, SDK version). Telemetry can be disabled through SDK settings. Developers are responsible for ensuring that any content shared with Learning Commons complies with applicable law.

Security governance and policies

Incident Response

Learning Commons maintains a documented incident response process that is activated whenever suspicious or abnormal activity is detected on our platform that may have security implications. Our engineering and security teams maintain on-call rotations to ensure a designated responder is available at all times.

Following any significant incident — whether security-related or operational (such as a service outage) — we conduct post-incident reviews. These reviews are designed to identify root causes, document lessons learned, and implement improvements to prevent recurrence.

Vendor and Third-Party Security

Learning Commons uses a limited set of trusted third-party service providers to deliver its platform. All service providers are evaluated for security and privacy practices prior to engagement and are contractually required to handle data in a manner consistent with our commitments to users.

Our primary infrastructure partner, Amazon Web Services (AWS), maintains certifications including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. CZI affiliates who access Learning Commons data are subject to the same Data Privacy Addendum as our external partners.

A list of our key third-party service providers is available upon request.

Security Awareness and Training

All Learning Commons and CZI personnel with access to platform systems and data are required to complete security awareness training. This training covers data handling obligations, phishing awareness, password security, and incident reporting procedures. Access is reviewed regularly and revoked promptly upon staff offboarding.

For additional information about our data practices, please review our Privacy Policy at learningcommons.org/privacy-policy.

To report a security concern or request information about our security program, contact us at: security@learningcommons.org