CourseLytics
How we protect your data

Security at CourseLytics

Last updated: April 20, 2026

CourseLytics holds a read-only mirror of your business data — revenue, contacts, purchases, transactions. We treat that responsibility seriously. This page describes the controls we use to keep your data safe.

1. Data in transit

  • All connections to CourseLytics are encrypted using TLS 1.2 or higher.
  • HTTP traffic is automatically redirected to HTTPS.
  • Calls to Kajabi, Stripe, SendGrid, and our AI provider are made server-to-server over HTTPS.

2. Data at rest

  • Application databases use disk-level AES-256 encryption.
  • Sensitive credentials — including the Kajabi API key you provide — are encrypted at the application layer using a separate secret key before being written to the database. They are decrypted only in-memory at the moment we make a sync request.
  • Passwords are never stored in plain text. We hash them with a modern, salted, slow KDF designed for password storage.
  • API keys and platform secrets are stored in our hosting provider’s secret manager and are never committed to source control.

3. Authentication & access control

  • Email-and-password sign-in with mandatory email verification before access is granted.
  • CSRF protection on every state-changing request.
  • Server-side session management with secure, HTTP-only cookies and rotating session identifiers.
  • Rate limiting on sign-in, sign-up, and password reset endpoints to deter credential stuffing and brute-force attempts.
  • Role-based access control inside each organization (owner, admin, member, view-only) so teammates only see what they need.
  • Strict tenant isolation: every database query is scoped to your organization. We do not allow cross-tenant access.

4. Application security

  • SQL injection is prevented by using a parameterized ORM throughout the codebase.
  • Output is escaped by default in our templating engine to defeat cross-site scripting.
  • Dependencies are tracked in a lockfile, scanned for known vulnerabilities, and updated regularly.
  • Audit logs record administrative actions inside your organization (invites, role changes, billing changes, site connections).

5. AI safety

  • AI prompts contain aggregated business metrics (revenue totals, funnel performance, offer-level summaries) — not row-level buyer names or email addresses.
  • Our AI provider is contractually prohibited from using your prompts to train its models.
  • You spend AI capacity from a prepaid wallet. There is a per-message cap that limits the size of any single prompt.

6. Hosting & infrastructure

  • CourseLytics runs on Replit Deployments, backed by Google Cloud Platform infrastructure.
  • Managed PostgreSQL with automated daily backups retained for up to 35 days.
  • Application logs are retained for 30 days for debugging and security review, then expire automatically.
  • Stripe is PCI DSS Level 1 certified and handles all card data on our behalf — we never see card numbers.

7. Operational practices

  • The principle of least privilege applies to engineering access — production access is restricted, audited, and reviewed.
  • Code changes go through review and automated checks before deployment.
  • Secrets are rotated when employees leave or when there is reason to believe a credential is compromised.

8. Incident response

If we detect or are notified of a security incident affecting your data, we will investigate, contain, and remediate as quickly as possible. We will notify affected customers without undue delay and within the timeframes required by applicable law, with the information available to us at the time and updates as the investigation progresses.

9. Your role in keeping data safe

  • Use a strong, unique password for your CourseLytics account.
  • Only invite teammates you trust, and assign the lowest role that lets them do their job.
  • Treat your Kajabi API key like a password — rotate it from inside Kajabi if you suspect it has been exposed.
  • Sign out of shared devices.

10. Reporting a vulnerability

We welcome reports from the security community. If you believe you have found a vulnerability, please email security@courselytics.com with details and steps to reproduce. We ask that you give us a reasonable opportunity to investigate and remediate before public disclosure, and that you avoid accessing or modifying data that does not belong to you.

Terms & Conditions · Privacy Policy · Security · Back to home