Launch offer — every paid plan ships with white-glove course migration.
Security

The honest security page creators actually want to read.

Below is what we do to protect your course content, your students' data, and your academy. We are also clear about what no platform can promise — because pretending otherwise is how creators lose trust.

What we do

Nine concrete safeguards, in plain language.

Encrypted-at-rest storage

All course assets — video, audio, PDF, ZIP — sit in encrypted object storage across multiple geographically distributed providers. Keys are rotated regularly and never co-resident with the data they protect.

Signed-URL delivery

Every lesson asset is served via short-lived signed URLs that expire and are bound to the requesting session. Hot-linking a video into another tab or another site fails within minutes.

Per-student watermarked video

On Growth and above, video lessons are watermarked with the student's name, email and session token. If a recording leaks, the source is identifiable — and your students know it.

Concurrent-device limits

Course access is limited to a configurable number of concurrent devices. New device logins require email verification, blocking the most common course-sharing pattern.

IP & device pinning (optional)

For premium cohorts, you can pin enrollment to a single device fingerprint or IP range. Effective against bulk credential sharing in coaching-class environments.

Role-based admin controls

Owner, instructor, support and read-only roles with scoped permissions. Audit logs record every access to student data, payment records and course assets.

PCI-DSS payment offload

JR LearnHub never sees a card number. Razorpay and Stripe handle card data end-to-end and we receive only tokens. Your customers' card details are not stored on our servers.

Encrypted-in-transit everywhere

TLS 1.3 on every public endpoint. Internal service-to-service traffic uses mutual TLS. HSTS preloaded on the marketing site and all academy subdomains.

Daily encrypted backups

Database backups run daily, encrypted, with 30-day retention. Critical data has cross-region copies. Point-in-time recovery available for the last 7 days.

What we will not pretend

The honest part most platforms skip.

Piracy can never be zero

A determined buyer with a phone camera can record any video on any platform. Anyone who claims otherwise is selling marketing copy. What we can do — and do — is make piracy expensive, slow, and identifiable enough that it stops being worth it for the marginal pirate.

We log what is needed, and only that

We collect access logs, billing records, and the data required to operate your academy. We do not sell student data, do not run third-party ad tracking inside academy portals, and you can export or delete your data at any time.

We tell you when something breaks

If we discover a security incident that affects your account, you hear from us by email within 72 hours with what happened, what was exposed (if anything), and what we did about it.

Compliance posture

Where we are today, and where we are headed.

We will not claim certifications we don't hold. Here is the honest state of our compliance roadmap.

StandardStatus
GDPR-ready data flowsIn place
India DPDP complianceIn progress
SOC 2 Type IIOn roadmap
ISO 27001On roadmap
Incident response

If something breaks, here is what happens.

  1. 1

    Detection

    Automated alerts on auth, payment, storage and abuse signals page the on-call engineer.

  2. 2

    Containment

    Affected access tokens are rotated, suspicious sessions are terminated, blast-radius is scoped within minutes.

  3. 3

    Notification

    If an incident affects your account or your students, you receive a direct email within 72 hours with what happened and what was exposed.

  4. 4

    Post-mortem

    A written post-mortem is published to status.jrlearnhub.com for every significant incident, with the root cause and the fix.

Have a security question? Ask us directly.

Email security@jrlearnhub.com for vendor questionnaires, vulnerability disclosure, or to set up a security review before signing up.