Security at Leoblocks
Protecting data privacy and security is a top priority for Leoblocks.
Leoblocks operates the services offered on leoblocks.com (the "Leoblocks Website"), including the Leoblocks platform (the "Leoblocks Platform") and associated mobile applications or services (collectively, the "Service").
Our Privacy Policy and Student Data Privacy Addendum outline our commitments to schools and families, including security practices and data privacy guarantees. This document provides technical insight for technology professionals like Chief Information Officers, IT directors, or data privacy officers at educational institutions.
If you have any questions or would like materials more tailored for educators or families, contact us at support@leoblocks.com.
Encryption at Rest and In Transit
All access to Leoblocks services is encrypted using modern TLS protocols (HTTPS). We enforce HTTP Strict Transport Security (HSTS) to ensure all connections occur securely.
Student Data and other sensitive information are encrypted:
- In transit: via HTTPS (TLS 1.2 or higher)
- At rest: using AES-256 encryption in our MySQL database and Google Cloud Storage
Encryption keys are securely managed and periodically rotated.
Hosting Infrastructure
Our infrastructure is hosted on Google Cloud Platform (GCP) using secure, virtual machine-based environments configured with firewall and network restrictions. We do not use Amazon Web Services (AWS).
Leoblocks leverages Google Cloud’s industry-grade security architecture, including:
- Dedicated Virtual Private Clouds (VPCs)
- Internal firewalls and strict inbound/outbound rules
- Regional redundancy for uptime and disaster resilience
Monitoring & Threat Detection
We use Sentry to monitor application errors and potential anomalies. It helps us detect issues early and respond quickly to abnormal behavior across our platform.
We also log key events and monitor system performance through internal tools and automated alerts.
Patching and Vulnerability Management
Our patching strategy includes:
- Google Cloud-managed VMs: regularly updated with the latest security patches
- Leoblocks application code: scanned continuously using GitHub Dependabot and Snyk.io for known vulnerabilities in dependencies
- Deployment pipeline: secured with GitHub Actions and Laravel Forge, with audit logs for CI/CD processes
Data Backups & Disaster Recovery
We back up application data and user content daily to encrypted, multi-regional storage in Google Cloud. These backups are tested and validated regularly, with a recovery plan designed to restore service quickly with minimal data loss in case of a major outage.
Disaster recovery measures include:
- Off-site backups
- Infrastructure replication
- Uptime monitoring and auto-scaling
Physical Access Control
We rely on Google Cloud's data centers, which are protected by advanced physical security, including:
- 24/7 surveillance and biometric access controls
- Security staff and motion detection
- Strict visitor access protocols
You can learn more about GCP’s physical security here.
Virtual Access Control
We enforce strong identity and access management policies:
- Multi-factor authentication (MFA) for all infrastructure accounts
- Role-based access control (RBAC) for developers and staff
- IP whitelisting for internal services
- Secure access policies with audit logs for every change or access
Authentication & Identity Management
Leoblocks supports secure user authentication through:
- Email and password login (with enforced strong password policies)
- Google Single Sign-On (SSO)
- Microsoft Single Sign-On (SSO)
All authentication flows are protected with HTTPS and are integrated with our backend identity provider to ensure secure session handling and role-based access control (RBAC). Authentication attempts are logged and monitored, and suspicious activity is flagged automatically.
Data Access Control
Access to Student Data is limited to authorized staff who require access for support, debugging, or infrastructure operations.
Technical and organizational controls include:
- Principle of least privilege
- Individual credentials with strong password policies
- Centralized access logs
- Scheduled access reviews
Unauthorized access is subject to strict disciplinary procedures.
Entry & Change Logging
We maintain detailed logs of:
- Access to production databases
- API usage related to Student Data
- Changes made through our deployment pipeline or admin tools
These logs are retained and reviewed periodically for compliance and security purposes.
Secure Data Transmission
All data transmitted between services or externally (e.g., between browser and server) is encrypted via HTTPS.
Internal communication between services is secured using:
- Encrypted channels
- Scoped API keys
- OAuth tokens for service authentication
Disclosure Control
To prevent unauthorized data disclosures, we use:
- End-to-end encryption
- Controlled API access
- Secure temporary download URLs for limited-time access to user-generated content
- Audit logs of all outbound data transmissions
Current Technology Stack Overview
| Category | Provider / Tool |
|---|---|
| Hosting | Google Cloud VMs |
| Storage | Google Cloud Storage |
| Database | MySQL |
| Monitoring | Sentry |
| CI/CD | GitHub Actions + Laravel Forge |
| Email Communication | Mailgun |
If you have any further questions about our security practices or need a Data Processing Agreement (DPA), feel free to contact us at support@leoblocks.com.
You can read more about our privacy and data protection policies below: