Security Whitepaper

Developed and maintained by EBSCOed, a division of EBSCO Information Services
Revised: April 2026

Introduction

This whitepaper details the security-specific capabilities, data protection commitments, and operational practices of LER.me — a free, open-access Learning and Employment Record (LER) platform developed and maintained by EBSCOed, a division of EBSCO Information Services.

LER.me enables individuals to create, manage, and share self-sovereign learning and employment records across their lifetime — from their first credential to retirement. Because LER.me handles personally identifiable information (PII) related to education, employment, and credentialing, EBSCOed takes the security and privacy of user data with the utmost seriousness.

This document is intended for institutional partners, state agencies, workforce boards, employers, and other stakeholders conducting security due diligence on the LER.me platform.

Platform Overview

LER.me is a free, secure, and comprehensive platform for creating, managing, and sharing self-sovereign individual Learning and Employment Records (LERs). Built on open standards — including open badges and Comprehensive Learner Records (CLRs) — LER.me is aligned with the U.S. Department of Education's definition of full-scale talent marketplaces.

The platform integrates industry-aligned data definitions and sources, including O*NET Online, the Bureau of Labor Statistics, academic catalogs, programs of study, and durable skills frameworks. Core capabilities include:

• Open-Access LER Wallet: A portable, privacy-first credential wallet with lifelong user ownership and control
• Digital Resume Builder: Curated, standardized digital resumes exportable in CLR format
• Credential Issuance: Validated skill, credential, and experience issuance with direct delivery to learner wallets
• Validated Provider Sync: Interoperability with institutional LER providers for verified record exchange
• Skills Vocabulary: Alignment to Professional Abilities, Competencies, Knowledge and Skills (PACKS) frameworks
• Self-Sovereignty: Users control what they share, with whom, and when — at all times

Platform Built for Trust

EBSCOed's security philosophy draws on industry-leading technology and recognized security standards. Ensuring that user data — particularly sensitive credentialing and employment information — is safe and secure is paramount to the LER.me mission. LER.me is built on a foundation of privacy-first design and rigorous access control, ensuring that individuals maintain ownership of their own learning and employment journey.

EBSCOed brings over four decades of trusted relationships across education, libraries, and workforce development. The LER.me platform inherits that institutional trust and extends it through formal security policies, enterprise-grade cloud infrastructure, and ongoing platform security review.

SaaS Subscription Architecture

LER.me is delivered as a cloud-based Software-as-a-Service (SaaS) platform hosted on enterprise-grade cloud infrastructure. EBSCOed manages all infrastructure maintenance, software updates, hardware patching, and security operations — allowing institutional partners to focus on learner outcomes rather than backend operations.

Shared Responsibility Model

Security responsibilities under LER.me are shared between EBSCOed and institutional partners. EBSCOed is responsible for securing the underlying cloud infrastructure, platform software, and services that power LER.me. Institutional partners are responsible for protecting their own administrative account credentials, managing user access within their organization, and responsibly configuring any third-party integrations they deploy. This shared model reduces the operational security burden on partners while maintaining a high baseline of platform-wide protection.

Hosting and Performance

LER.me is hosted on a 99.9% uptime-guaranteed enterprise cloud infrastructure. EBSCOed continuously monitors hardware and network connections for reliability. The hosting environment is built to the highest information security standards and supports LER.me's compliance posture, including:

• Enforcement of highly secure RSA keys for server access and encryption
• Continuous logging of all servers
• Regular patching of servers and applications
• Enforcement of firewalls and server monitoring
• Adherence to openSCAP security guidelines for all applicable servers

Data Sovereignty

LER.me data centers and servers are located exclusively in the United States. All user data is stored, processed, and backed up within the United States. Data is never transferred or stored outside of the United States under any circumstances.

IT Infrastructure and Compliance Standards

The IT infrastructure underlying LER.me is designed and managed in alignment with the following recognized security standards:

• SOC 2 Type II: Validates controls related to security, availability, processing integrity, confidentiality, and privacy of the LER.me service environment.
• ISO 27001: Governs EBSCOed's Information Security Management System (ISMS), covering risk management, access control, and continuous improvement.
• FedRAMP: The Federal Risk and Authorization Management Program framework, ensuring cloud service security assessment and authorization consistent with U.S. government requirements.
• DOD CSM Levels 1–5: The U.S. Department of Defense Cloud Security Model, addressing multi-level security requirements for cloud-hosted workloads.

Data Center Details

Physical and Environmental Security

Data centers used by LER.me are state-of-the-art facilities utilizing innovative architectural and engineering practices, housed in nondescript locations. Physical access is strictly controlled at perimeters and building ingress points by professional security personnel using video surveillance, intrusion detection systems, and electronic access controls. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors must present identification and are continuously escorted by authorized staff. Access is granted only to those with a legitimate business need and is revoked immediately upon departure. All physical access is logged and routinely audited.

Fire Detection and Suppression

Automatic fire detection and suppression equipment is installed throughout all data center environments. The fire detection system uses smoke sensors in all server rooms, mechanical and electrical infrastructure spaces, chiller rooms, and generator rooms. These areas are protected by wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power

Data center electrical systems are designed to be fully redundant and maintainable without interruption to operations, 24 hours a day, 7 days a week. Uninterruptible Power Supply units provide backup power for critical loads in the event of electrical failure. Generators provide full-facility backup power.

Climate and Temperature

Climate control systems maintain constant operating temperatures for servers and hardware, preventing overheating and service outages. Data centers maintain atmospheric conditions at optimal levels, with personnel and automated systems continuously monitoring temperature and humidity.

Business Continuity Management

LER.me employs infrastructure with a high level of availability and resilient architecture designed to tolerate system or hardware failures with minimal impact on users. Preventative maintenance is performed continuously to ensure the operability of all equipment.

Platform Security Features

Secure Access and Authentication

LER.me uses an enterprise identity and access management solution providing robust, standards-based authentication and authorization for all platform users. The system handles session management, token issuance, and identity federation. Passwords are stored using a salted SHA-512 hash, run through the hash function multiple times to increase the computation cost of generating the final hash — a security technique known as stretching. Supported authentication methods include:

• User ID and Password with configurable complexity and expiration policies
• Federated identity across external providers
• SAML 2.0
• OpenID Connect (OIDC)
• Active Directory and LDAP Authentication
• Social Login via identity providers
• Multi-Factor Authentication (MFA) — available for Provider, State Administrator, Marketplace Administrator, Case Manager, Durable Skills Framework Subscriber, and System Administrator roles

Granular Role-Based Access Control

LER.me provides a hierarchical role structure ensuring users can only access functionality appropriate to their function. Access rights, content visibility, and feature availability are scoped accordingly. The platform supports the following roles:

• Anonymous: May browse publicly available content without authentication
• Individual: Learners and job seekers who own and manage their personal LER
• Provider: Education and training institutions or employers who issue credentials and manage programs
• State Administrator: Oversees platform activity and configuration within a state or jurisdiction
• Marketplace Administrator: Manages the broader talent marketplace environment
• Case Manager: Supports individuals navigating education and workforce pathways
• Durable Skills Framework Subscriber: Accesses and utilizes the platform's skills vocabulary and framework data
• System Administrator: Holds the highest level of platform access and is responsible for overall configuration and security

Preventing XSS, CSRF, and Malicious Data Entry

LER.me validates and scrubs all data before database entry. The platform tests that user-entered data — including form fields themselves — match prescribed, expected formats and values. Tokens are injected into each form as it is generated to protect against potential CSRF attacks. The database abstraction layer performs additional security checks on all data written to and retrieved from the database.

Brute Force Detection

LER.me protects against brute-force password attacks by limiting login attempts from a single IP address over a predefined time period. Failed login attempts are logged and visible via the administrative interface. Administrators may configure bans on individual IP addresses and address ranges. By default, accounts are locked after five failed login attempts, and reset options are automatically presented to the affected user.

Mitigating Denial of Service Attacks

LER.me's extensible cache layer is pre-configured with basic page, JavaScript, and CSS caches. The system supports deep integration with performance technologies such as Memcache, Redis, Varnish, and CDN services. This multi-layered cache architecture is designed to remain highly resistant to high-traffic volumes and denial-of-service conditions.

OWASP Top 10

LER.me's security framework addresses all of the Open Web Application Security Project's Top 10 most critical security risks, ensuring that known and commonly exploited attack vectors are mitigated as part of the standard platform configuration.

Protective Blocking

LER.me's hosting environment features a protective blocking mechanism that restricts access to platform features where security vulnerabilities are detected. This method prevents exploitation of known vulnerabilities and is specifically targeted at high-impact, low-complexity attack vectors.

Vulnerability Assessment Program

EBSCOed maintains a database of known security vulnerability signatures and analyzes platform code upon each new release, on a regular schedule as new vulnerabilities are identified, and immediately when a critical vulnerability is detected. Automated systems decline releases flagged as critical. Periodic penetration testing is also conducted independently of software releases across all layers of protection and throughout the data lifecycle. EBSCOed does not share specific test dates or results.

Cookies and User Session Data

Session and cookie data is set to expire after three hours. Authenticated users have a timestamp of their visit recorded in server-side logs under their user profile. The following cookies are used by the LER.me platform.

Session Cookie

A session cookie is set when an authorized user logs in to LER.me. The platform issues session tokens to maintain authenticated state. This cookie applies only to authenticated users and is not set during anonymous browsing.

_ga and _gat

Cookies used for Google Analytics to track usage patterns and site performance.

Incident Response

EBSCOed's Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Support staff provide 24x7x365 coverage to detect incidents and manage their impact and resolution.

Incident response operates across two tracks. The Automated Response System continuously monitors LER.me instances and alerts appropriate personnel when action is needed — if a site becomes unresponsive, alerts are sent immediately to multiple personnel. The Alerted Response System allows end users and technical staff to submit incidents via the support portal at help.ler.me, where issues are diagnosed and resolved with frequent status updates communicated to the reporting party.

In the event of a confirmed security incident, internal teams are notified immediately via email, SMS, and collaboration tools. Clients and stakeholders are notified within 120 minutes of a confirmed incident.

Backup and Disaster Recovery

EBSCOed maintains a comprehensive backup and disaster recovery program for the LER.me platform, aligned with ISO 27001 and SOC 2 Type II standards.

Backup Schedule and Retention

LER.me performs automated daily snapshots of all platform data, stored in encrypted offsite cloud storage using AES-256 encryption. In addition to daily snapshots, the platform supports point-in-time recovery to any 5-minute interval within the prior 35 days, providing granular recovery options in the event of data loss or corruption. Backup integrity is verified on a monthly basis where applicable.

Recovery Objectives

For Priority 1 events — including system unavailability or data breach — LER.me targets a Recovery Time Objective (RTO) of less than 4 hours and a Recovery Point Objective (RPO) of less than 1 hour. These objectives are supported by multiple live data centers, site-to-site replication, and automated monitoring of all live systems and backups.

Disaster Recovery Plan

EBSCOed maintains a formal, documented Disaster Recovery Plan (DRP) for LER.me. Key elements of the plan include ongoing risk matrices covering natural disasters, cybersecurity threats, infrastructure failures, and human errors; defined roles for an Incident Response Lead, Infrastructure Team, Compliance Officer, Communications Lead, and Testing Team; containerized application architecture for automated failover and rapid redeployment; and full DR drills every six months with partial system tests conducted quarterly.

Key Disaster Recovery contacts are as follows:

• Disaster Recovery Lead: Walid Aggoun — waggoun@ebsco.com
• Compliance Officer: Chad Smith — chadsmith@ebsco.com
• Organization Lead: Scott MacDonald — smacdonald@ebsco.com

Data Process FAQ

The following questions address common due diligence and data governance inquiries related to the LER.me platform.

What is your password policy?

LER.me uses an enterprise identity and access management system that handles authentication sessions without exposing raw passwords to the application layer. Passwords are stored as salted SHA-512 hashes with stretching applied. Password policies — including minimum length, complexity, history, and expiration — are configurable per institution.

How is the password policy enforced?

The password policy is technically enforced to require minimum length and complexity, as well as password history and duration, with configuration specified by the customer or partner institution.

How many failed login attempts are permitted before lockout?

LER.me locks an account after five failed login attempts. Reset options are automatically presented to the affected user.

Does a locked account automatically unlock after a set period?

Locked accounts are unlocked via a self-service password reset. Users are presented with reset instructions upon lockout and may regain access without administrator intervention.

What authentication methods are supported?

LER.me authentication supports SAML 2.0, OpenID Connect (OIDC), Active Directory and LDAP, and social login via external identity providers. Multi-Factor Authentication (MFA) is available for all non-Individual roles, including Provider, State Administrator, Marketplace Administrator, Case Manager, Durable Skills Framework Subscriber, and System Administrator. Individual users authenticate through standard single-factor methods.

Can third parties access user data?

LER.me shares personally identifiable information only with trusted service providers and system partners necessary to operate the Services, and only under confidentiality protections required or permitted by law. LER.me does not sell personally identifiable user data. Aggregated, de-identified, or anonymized information — which cannot reasonably be linked to any individual — may be shared or used for research, analytics, reporting, and other lawful purposes.

How is application access provisioned and deprovisioned?

Users may self-register for individual access directly on the platform. Access to elevated or institutional roles must be requested through the official access request forms available at help.ler.me. Deprovisioning follows a similar process, with access revocation managed through the same portal.

What encryption is used for data in transit?

All data in transit is protected using SSL TLS 1.2/1.3 with 2048-bit encryption.

What encryption is used for password storage?

Passwords are stored using a SHA-512 hash with a salt, with multiple hash iterations applied to increase computation cost — a technique known as stretching.

Is data encrypted at rest?

Data at rest is hosted in a secure, access-controlled environment and protected at a granular level. All backup data is encrypted using AES-256 encryption.

In what countries is data stored and backed up?

LER.me data centers and servers are located exclusively in the United States. All user data is stored, processed, and backed up within the United States. Data is never transmitted or stored outside of the United States.

How long is user data retained?

LER.me retains user account data for as long as the account remains active. An account is considered active when the user signs in and establishes a session. Accounts that have not had a sign-in for 2 consecutive years may be designated as dormant, at which point data is moved to a restricted-access, encrypted storage state. If no sign-in occurs for 30 consecutive years, LER.me may permanently delete or anonymize the account and associated LER data. Users may delete their account at any time through the opt-out form within the Services. Deletion is permanent and cannot be undone.

Can individual user data be recovered separately?

Yes. Each user's LER and account data is maintained separately. In the event of data loss, user records can be restored independently without impacting other users.

How is user data isolated?

Each user's account, Digital Wallet, and LER data is logically isolated within the platform. User data is not accessible to or shared with other users except through explicit sharing actions initiated by the account holder.

How frequently are backups performed?

LER.me performs automated daily snapshots with point-in-time recovery available to any 5-minute interval within the prior 35 days. For P1 events, the RTO target is under 4 hours and the RPO target is under 1 hour.

Is your environment current on security patches?

Yes. LER.me operates on a continuous deployment model with weekly releases that include security patches, updates, enhancements, and bug fixes. These releases do not interfere with user or administrator access. Critical hot fixes may be applied within minutes if required.

Do you have an Information Security Policy?

Yes. EBSCOed maintains a documented Information Security program and policies that follow industry best practices. All employees are governed by comprehensive employment agreements, strong confidentiality clauses, and mature human resources policies and procedures.

How do you monitor for security incidents?

LER.me uses real-time console-based monitoring and automated alerting systems. Network IPS systems are updated both on schedule and on demand, with a review process prior to each implementation.

How long are logs retained?

Logs are retained based on EBSCOed's internal data retention standards and are secured by commercial logging device security controls.

Do you perform regular vulnerability assessments?

Yes. EBSCOed performs vulnerability testing internally on an ongoing basis, both automated and manual, consistent with its information security policies. The platform security team also conducts periodic penetration testing independent of software releases.

Privacy Commitments

LER.me is designed from the ground up with self-sovereignty and user privacy at its core. The following commitments reflect LER.me's published Privacy Policy (last updated March 21, 2026):

• Users own and control their Learning and Employment Record. Users decide what information they add, what they share, with whom, and for how long.
• LER.me does not sell personally identifiable user data to third parties or advertisers.
• Aggregated, de-identified, or anonymized data that cannot reasonably be linked to any individual may be used or shared for research, analytics, reporting, and other lawful purposes.
• Credential data added to a Digital Wallet is self-attested unless explicitly synced from a Validated Provider or connected through a verification service.
• LER.me does not collect or disclose medical or health information, or other restricted third-party information, unless explicitly permitted by law and supported by separate consent and legal agreements.
• The Services are designed for use in the United States only. User data is stored and processed in the United States and is subject to U.S. laws.
• The Services are available to users who are at least 14 years of age. Users ages 14 to 17 are subject to additional minor account protections, including restrictions on storing geolocation and IP-based information. Users 13 and under are not permitted to use the Services.
• Users may delete their account at any time through the opt-out form within the Services. Deletion is permanent and cannot be undone. Accounts inactive for 2 consecutive years may be designated dormant; accounts inactive for 30 consecutive years may be permanently deleted or anonymized.
• The LER.me Privacy Policy and Terms of Use are publicly available at help.ler.me and are updated with advance notice when material changes are made.