Security at skills123
We handle learner data, payment identifiers, and generated course content. Here is exactly how we protect them — no hand-waving, no vague "enterprise-grade" claims.
Data encryption
Every request to skills123.com is served over TLS 1.2+ with HSTS. Data at rest is encrypted by our managed database provider using AES-256 volume-level encryption. Secrets and API keys are stored in environment variables, never in the repository, and rotated on a scheduled cadence.
Authentication
Login is powered by Auth.js (NextAuth) with a Credentials provider. Passwords are hashed with bcrypt (cost factor 12) — we never see, log, or store plaintext credentials. Sessions use signed JWTs with short-lived tokens and a HttpOnly, SameSite cookie. We are rolling out passkeys and TOTP-based 2FA next.
Sub-processors
We use vetted sub-processors to deliver the product — HeyGen, Gamma, ElevenLabs, Mux, Stripe, Resend, PostHog and Sentry. Each is listed with its purpose and data scope on our Privacy page. We notify account admins at least 30 days before adding new ones.
Incident response
Our on-call engineer monitors Sentry alerts, uptime probes, and auth failure anomalies 24/7. If an incident affects user data we commit to notifying affected accounts within 72 hours along with a public post-mortem on the changelog. Backups run nightly and are restore-tested monthly.
Vulnerability disclosure
Found something? We want to hear about it. Email security@skills123.com with a proof-of-concept and a safe reproduction. We acknowledge within 48 hours, fix within an agreed timeline, and credit you publicly if you want. We do not take legal action against good-faith researchers.
Compliance
Honest framing: we are a small team. We are actively working toward SOC 2 Type I in the coming year and already follow its controls — access reviews, change management, encrypted backups, and vendor monitoring. Until the audit completes, we will not pretend to be certified.
Questions about our security posture?
Enterprise buyers can request our security questionnaire, DPA, and architecture diagram.