Security & data protection
SwiftSCORM handles training content and, on the hosted platform, learner completion records. Here's how that data is protected — in plain language. Questions: security@swiftscorm.com.
Your training documents
When you generate a quiz, the document text is sent over an encrypted connection to our AI provider (Anthropic) to write questions, then returned to your browser. We process it in memory to fulfill the request and do not store it on our servers. It is never used to train AI models. The finished SCORM package is assembled in your browser and downloaded directly to you.
Learner data on the hosted platform
If you publish a course to SwiftSCORM hosting, we store the course and each learner's completion record (name/email if you provide it, score, pass/fail, date) — this is the compliance audit trail you rely on. Access is gated by unguessable 144-bit tokens: a private dashboard token for you, a per-learner invite token for each employee. Token pages are marked no-index, no-referrer, and no-store so they don't get crawled or leak via outbound links. (We're also moving the dashboard token out of the URL into a session cookie — see the roadmap below.)
Result integrity
Whether a learner passed is determined on our server from your passing threshold — not accepted from the learner's browser. Completion is monotonic (a later attempt can't erase a pass) and keeps the best score. This is what makes the dashboard usable as evidence.
Platform hardening
Every page is served with a Content Security Policy, HTTP Strict Transport Security, clickjacking and MIME-sniffing protections, and a locked-down permissions policy. Data-changing and public endpoints are rate-limited. We don't advertise our framework or leak internal errors to clients.
Responsible disclosure
Found a vulnerability? Email security@swiftscorm.com with details and steps to reproduce. Please give us a reasonable window to fix it before public disclosure; we'll acknowledge your report and credit you if you'd like.
What we're still improving
We believe in being honest about posture. On the roadmap before we charge for hosted training: a managed database with row-level security, verified-email sign-in for dashboards, audit logging, and tightening our Content Security Policy to per-request nonces. We'll update this page as each ships.
Accessibility
SwiftSCORM targets WCAG 2.1 Level AA conformance. The training player includes keyboard navigation, screen-reader announcements (aria-live), visible focus indicators (focus-visible), and reduced-motion support. SCORM packages set the correct lang attribute for all five supported languages. See our Accessibility Conformance Report (VPAT 2.4) for full details.
Enterprise or government buyer with a security or accessibility questionnaire? We're happy to complete it.
Contact security →