At BuildEmpire, trust is at the core of everything we do.
As a leading provider of learning platforms, we understand that our customers depend on us to protect their data, ensure uptime, and deliver a platform that supports their learners securely and reliably.
So, this page exists to give you full transparency into how we safeguard your information, the standards we uphold, and the partners we work with.
We believe that earning your trust starts with openness so here’s how we do it 👇👇
To deliver a high-performing, secure LMS, we work with carefully selected third-party providers (“subprocessors”).
Each subprocessor is vetted for security, compliance, and reliability before we engage with them, and we maintain data processing agreements aligned with GDPR requirements.
We use AWS to host our infrastructure and store application data securely. AWS provides world-class physical and network security, scalability, and redundancy, helping ensure the BuildEmpire LMS remains fast, reliable, and resilient.
By default, we host within UK or EU AWS regions, but we’re happy to deploy to an alternative AWS region if your organisation has specific requirements.
HubSpot is used to manage customer relationships, communication, and onboarding.
We store only essential contact information within HubSpot, and all data is processed in compliance with GDPR standards.
Google supports our internal operations - including analytics, productivity tools, and communication services.
We leverage Google Workspace and analytics solutions under strict access controls and data security configurations.
We can integrate Workato into your platform to automate certain workflows between systems securely. This enables seamless integration between our tools while ensuring that data handling remains compliant and efficient.
As part of Totara v19 onwards, you can integrate OpenAI within your LMS. When OpenAI is enabled, data sent to the model is excluded from training by design.
Postmark manages our transactional email delivery - such as password resets and notifications. It’s chosen for its reliability, speed, and security in handling sensitive email data.
Our approach to security, privacy, and service quality is governed by a robust set of internal policies and processes.
These policies ensure that every aspect of how we manage your data and systems aligns with best practices in information security and regulatory compliance.
We take data protection and information security seriously at BuildEmpire.
This means regularly reviewing the controls and processes we rely on, ensuring they remain effective as risks and technologies evolve.
We adhere to industry-leading standards and regularly undergo independent audits by accredited certification bodies to verify our ongoing compliance.
All of these certifications mean that we can be trusted with your data, and with your platforms.
BuildEmpire is certified to the ISO 27001:2022 standard, the internationally recognised framework for Information Security Management Systems. This certification demonstrates our systematic approach to managing sensitive information, mitigating risk, and continuously improving our security posture.
We are certified under the Cyber Essentials scheme, a UK government-backed initiative that helps protect organisations against common online threats. This certification validates that our systems are secured against the most common cyber attacks.
We’ve gone a step further by achieving Cyber Essentials Plus certification, which includes independent testing and verification of our systems. This enhanced level of assurance confirms that our controls and protections are not only in place but actively effective in defending against real-world threats.
As part of our annual ISO audits, our auditors review how our controls align with GDPR principles, helping to ensure that personal data is handled lawfully, transparently, and for legitimate purposes. Our processes support user rights, data minimisation, and secure data handling across all services.
Whether you’re building a learning platform from scratch or migrating from another provider, we can help. Our team of devs and learning experts can help you make a solution custom to your needs.
Security isn’t set it and forget it.
We run independent annual penetration tests on our hosting infrastructure and platform environment to ensure that any weaknesses are identified and resolved promptly.
These tests simulate real-world attacks to identify and resolve any vulnerabilities before they can be exploited. We send you the full report that outlines any actions we need to take to ensure your platform is as reliable as it can be.
And that’s not all. Totara itself conducts annual independent penetration tests to ensure that their core product remains secure and resilient. This layered approach means our platform benefits from both our own and Totara’s ongoing security testing and improvements.
Security is embedded into every layer of our platform, from infrastructure and data encryption to application design and access management. Our ISO 27001 certification, regular penetration testing, and compliance with GDPR and Cyber Essentials Plus demonstrate our commitment to maintaining strong security practices.
All data is securely hosted in Amazon Web Services (AWS) data centres. We use UK/EU AWS regions as standard, and we can support alternative AWS regions if your organisation prefers a different location. AWS maintains industry-leading security and compliance standards, including ISO 27001, SOC 2, and GDPR alignment.
Yes. Our platforms benefit from a structured backup and restore programme designed to protect against data loss. Backups are encrypted, taken frequently in line with defined schedules, and stored securely in separate AWS locations. We also conduct regular restoration tests to validate that backups can be recovered quickly and effectively. This process ensures that your data remains protected and recoverable in the event of an incident, outage, or system failure.
We apply strong encryption across our entire platform to ensure your data remains protected wherever it resides. Data is encrypted in transit using modern TLS protocols, and encrypted at rest in line with industry best practice. This includes encryption for databases, storage, backups and all related infrastructure. These measures protect against unauthorised access and help ensure confidentiality and integrity at every stage.
Our LMS is designed for high availability and reliability. We continuously monitor system health and performance, and our infrastructure is built on AWS for scalability and resilience. We maintain a strong historical uptime record and can provide SLA commitments for enterprise customers.
We maintain a comprehensive Business Continuity Plan and Disaster Recovery Procedure designed to keep your services running. This includes documented recovery procedures, regular reviews of critical suppliers, redundant hosting infrastructure, and scheduled backup and restore testing. Our approach ensures that we can respond quickly to incidents and restore affected services with minimal disruption.
We operate a formal incident management process that covers detection, investigation, containment, and remediation of security events. If an incident affects customer data, we act quickly and transparently in line with GDPR requirements. Our dedicated ISMS team coordinates the response, ensures all actions are documented, and communicates directly with affected clients when necessary.
We follow a secure software development lifecycle that includes peer review, automated testing, security checks, and strict separation of development, staging and production environments. All code changes are reviewed by at least one other developer before release, and all releases are tested in a dedicated staging environment. By combining secure design principles with modern engineering practices, we ensure that new features are delivered safely, consistently and with security in mind from the start.
Security is reviewed continuously as part of our ISO 27001 ISMS framework. In addition, we carry out internal audits, third-party assessments, and annual penetration tests (both ours and Totara’s) to ensure ongoing protection.
Security is embedded into every layer of our platform, from infrastructure and data encryption to application design and access management. Our ISO 27001 certification, regular penetration testing, and compliance with GDPR and Cyber Essentials Plus demonstrate our commitment to maintaining strong security practices.
We believe trust is earned not assumed. BuildEmpire will continue to review, audit, and improve our systems and partnerships to uphold the highest standards of data protection and service reliability.
If you have questions about our compliance, certifications, or subprocessors, please contact our Data Protection Officer, Nate, at contact@buildempire.co.uk.
“BuildEmpire created a platform that is truly unique – a truly engaging user experience on the front end for students, coupled with Totara’s ease of administration for our staff.”
Kyle Epps, Senior Technical Product Manager
