Security

How we protect your data and keep the SkillMonster platform secure.

Operator: SkillMonster is a global supplemental learning platform. Services on this site are operated by AxiomX LLC, Texas, United States.

TLS Encryption

All data in transit is encrypted with TLS 1.3

Password Security

Passwords hashed with bcrypt (cost factor 12)

Data Encryption

Sensitive data encrypted at rest (AES-256)

Security Audits

Regular penetration testing and vulnerability scans

Security Practices

HTTPS enforced across all endpoints with HSTS headers

Content Security Policy (CSP) headers with nonce-based script allowlisting

Rate limiting on all API endpoints to prevent abuse

Session tokens rotated on login; invalidated on logout

SQL injection prevention via parameterized queries (Prisma ORM)

XSS protection via React's DOM escaping and CSP

Dependency vulnerability scanning via automated CI checks

Two-factor authentication available for all accounts

Responsible Disclosure / Bug Bounty

We welcome security researchers to report vulnerabilities. If you discover a security issue, please report it via our contact page with full details. We ask that you:

• Give us reasonable time to investigate and fix before public disclosure
• Avoid accessing or modifying other users' data
• Not perform denial-of-service attacks

We acknowledge all valid reports and offer recognition (Hall of Fame) for significant findings.

Compliance: SkillMonster follows applicable US data protection laws including CCPA for California residents and COPPA for users under 13. SOC 2 Type II audit is currently in progress.