How we handle your data

1. Roles under GDPR

We have two typical roles depending on who uses the service:

• Data controller

  When individual users register directly, LexiCo AS is the data controller for their data.

• Data processor

  When a company purchases licences for its employees, the company is the controller and LexiCo AS is the processor under a DPA (data processing agreement).

2. Encryption mechanisms

Data is protected in multiple layers:

• In transit

  TLS 1.3 on all endpoints. HSTS enabled with a 30-day max-age. No HTTP access.

• At rest

  AES-256 disk encryption on database volumes. Sensitive fields (API keys, tokens) are additionally per-field-encrypted before insert.

• Passwords

  ASP.NET Identity using PBKDF2-SHA512, 10,000+ iterations and unique salt per user.

• Certificates (TSP)

  ECDSA P-256 signing with hash-chained evidence — tamper-evidence for every issued certificate. Public key available at /.well-known/lexico-academy-tsp-key.

3. Data flow

All traffic follows this flow — we have deliberately designed out external third parties for analytics and tracking:

1. 1

   User → CDN

   Cloudflare (EU edge) for DDoS protection. No logging of personally identifiable traffic.

2. 2

   CDN → App

   ASP.NET Core 8 hosted with Hetzner in Germany and Finland.

3. 3

   App → Database

   SQL Server in the same data centre. Private network, no public endpoint.

4. 4

   App → Backup

   Daily encrypted backups to geo-redundant EU storage (90-day retention).

4. Sub-processors

Complete list of who processes data on our behalf. All have signed a DPA, all are within the EU/EEA:

5. Access control and audit

Access to production data is role-based (RBAC) and requires MFA. All administrative actions are recorded in an immutable audit log with timestamp, user ID, and action type. Logs are archived for 12 months.

6. Incident response

When a confirmed security incident affects personal data we notify:

• Data Protection Authority

  Within 72 hours (GDPR art. 33).

• Affected users

  If the incident is likely to result in high risk (GDPR art. 34).

• Corporate customers

  Per DPA obligations, normally within 24 hours.

7. Data portability and deletion

You can at any time request export or deletion of your data via the profile settings or by contacting our privacy officer:

• Export

  JSON structure with all profile, course, and certificate data. Delivered within 30 days.

• Deletion

  Account + profile + progress are deleted within 30 days. Certificates and TSP evidence are anonymised and retained for 10 years for verifiability.

• Corporate export

  Company can export all employees' course report via /Company/Reports.

8. AI features and data

Some courses offer AI-generated suggestions (e.g. personalised learning plan). We never send your name, email, or full profile to AI providers. Only anonymised fragments (course progress, selected interests) are sent, and only to providers with an EU instance (Azure OpenAI EU). Users can disable AI features in their profile settings.

9. For corporate customers

Companies that register employees via a corporate licence receive standard DPA terms as part of the subscription. A bespoke DPA can be entered for Enterprise tier — contact sales.

10. Contact and documentation

Questions about data processing or need for documentation: