LeoblocksLeoblocks
LeoblocksLeoblocks
Avatar placeholder

Security at Leoblocks

Protecting data privacy and security is a top priority for Leoblocks.

Leoblocks operates the services offered on leoblocks.com (the "Leoblocks Website"), including the Leoblocks platform (the "Leoblocks Platform") and associated mobile applications or services (collectively, the "Service").

Our Privacy Policy and Student Data Privacy Addendum outline our commitments to schools and families, including security practices and data privacy guarantees. This document provides technical insight for technology professionals like Chief Information Officers, IT directors, or data privacy officers at educational institutions.

If you have any questions or would like materials more tailored for educators or families, contact us at support@leoblocks.com.


Encryption at Rest and In Transit

All access to Leoblocks services is encrypted using modern TLS protocols (HTTPS). We enforce HTTP Strict Transport Security (HSTS) to ensure all connections occur securely.

Student Data and other sensitive information are encrypted:

  • In transit: via HTTPS (TLS 1.2 or higher)
  • At rest: using AES-256 encryption in our MySQL database and Google Cloud Storage

Encryption keys are securely managed and periodically rotated.


Hosting Infrastructure

Our infrastructure is hosted on Google Cloud Platform (GCP) using secure, virtual machine-based environments configured with firewall and network restrictions. We do not use Amazon Web Services (AWS).

Leoblocks leverages Google Cloud’s industry-grade security architecture, including:

  • Dedicated Virtual Private Clouds (VPCs)
  • Internal firewalls and strict inbound/outbound rules
  • Regional redundancy for uptime and disaster resilience

Monitoring & Threat Detection

We use Sentry to monitor application errors and potential anomalies. It helps us detect issues early and respond quickly to abnormal behavior across our platform.

We also log key events and monitor system performance through internal tools and automated alerts.


Patching and Vulnerability Management

Our patching strategy includes:

  • Google Cloud-managed VMs: regularly updated with the latest security patches
  • Leoblocks application code: scanned continuously using GitHub Dependabot and Snyk.io for known vulnerabilities in dependencies
  • Deployment pipeline: secured with GitHub Actions and Laravel Forge, with audit logs for CI/CD processes

Data Backups & Disaster Recovery

We back up application data and user content daily to encrypted, multi-regional storage in Google Cloud. These backups are tested and validated regularly, with a recovery plan designed to restore service quickly with minimal data loss in case of a major outage.

Disaster recovery measures include:

  • Off-site backups
  • Infrastructure replication
  • Uptime monitoring and auto-scaling

Physical Access Control

We rely on Google Cloud's data centers, which are protected by advanced physical security, including:

  • 24/7 surveillance and biometric access controls
  • Security staff and motion detection
  • Strict visitor access protocols

You can learn more about GCP’s physical security here.


Virtual Access Control

We enforce strong identity and access management policies:

  • Multi-factor authentication (MFA) for all infrastructure accounts
  • Role-based access control (RBAC) for developers and staff
  • IP whitelisting for internal services
  • Secure access policies with audit logs for every change or access

Authentication & Identity Management

Leoblocks supports secure user authentication through:

  • Email and password login (with enforced strong password policies)
  • Google Single Sign-On (SSO)
  • Microsoft Single Sign-On (SSO)

All authentication flows are protected with HTTPS and are integrated with our backend identity provider to ensure secure session handling and role-based access control (RBAC). Authentication attempts are logged and monitored, and suspicious activity is flagged automatically.


Data Access Control

Access to Student Data is limited to authorized staff who require access for support, debugging, or infrastructure operations.

Technical and organizational controls include:

  • Principle of least privilege
  • Individual credentials with strong password policies
  • Centralized access logs
  • Scheduled access reviews

Unauthorized access is subject to strict disciplinary procedures.


Entry & Change Logging

We maintain detailed logs of:

  • Access to production databases
  • API usage related to Student Data
  • Changes made through our deployment pipeline or admin tools

These logs are retained and reviewed periodically for compliance and security purposes.


Secure Data Transmission

All data transmitted between services or externally (e.g., between browser and server) is encrypted via HTTPS.

Internal communication between services is secured using:

  • Encrypted channels
  • Scoped API keys
  • OAuth tokens for service authentication

Disclosure Control

To prevent unauthorized data disclosures, we use:

  • End-to-end encryption
  • Controlled API access
  • Secure temporary download URLs for limited-time access to user-generated content
  • Audit logs of all outbound data transmissions

Current Technology Stack Overview

CategoryProvider / Tool
HostingGoogle Cloud VMs
StorageGoogle Cloud Storage
DatabaseMySQL
MonitoringSentry
CI/CDGitHub Actions + Laravel Forge
Email CommunicationMailgun

If you have any further questions about our security practices or need a Data Processing Agreement (DPA), feel free to contact us at support@leoblocks.com.

You can read more about our privacy and data protection policies below: