Security and compliance, built into every layer.

Lemon Learning guides users on top of your applications without ever touching your business data. We read the structure of the page, not what is on it, so your sensitive information never reaches our servers.

 
No business data stored on our servers
 
Encrypted in transit and at rest
 
SSO via SAML 2.0
 
Continuous monitoring and audits
The core principle

We never store your business data.

Lemon Learning sits on top of your software as a guidance layer. To do that, it reads only the structure of the page (its HTML and metadata) to know where to place a step or a tooltip.

It does not read, collect, or store the content inside your screens. The only data we keep is the user's first name, last name, and email, and only depending on the authentication mode you choose.

Data minimization. We store only what is needed to deliver the service. Your critical data is never collected unless you explicitly ask us to.

Built for the highest standards. Trusted by banks, insurers, and government agencies with demanding security requirements.

app.acme.com/customers
How Lemon sees your screen
Account name
•••••••••id="account"
Account number
•••••••id="number"
Billing address
•••••••••••id="address"
Lemon guide · 1/3
Click here to start creating the account.
Structure Lemon reads
•••Content never collected
Full transparency

Exactly what we store, and why

No business data is involved. These are the only fields Lemon Learning records, and each one has a clear purpose.

Data field
Why we need it
URL and URL patterns
Identify which application Lemon overlays, and detect whether guidance should load on the page.
User ID
Recognize a returning user and show progress on completed guides. Generated automatically when the browser extension is used.
First and last name
Create a back-office account so the user can access Lemon Learning content.
Email address
Create the account and confirm sign-up through a confirmation link.
User attributes (optional)
Segment users by group, tag, or attribute for tailored guidance. Never collected automatically, only through a CSV you upload yourself.
Defense in depth

Protected at every layer

From the laptops our team works on to the infrastructure that runs the service, security is layered end to end.

 

Endpoints

Encrypted drives and group policies, Sophos Intercept X EDR with anti-ransomware and anti-exploit, and a Qualys agent for vulnerability detection.

 

Network

A managed Sophos firewall monitors and filters network traffic, blocks known attack patterns, and enforces application control across the work network.

 

Infrastructure

Qualys scans every component and feeds a patching process. Authentication logs are validated and signed by the technical team, and SSL certificates are monitored with expiry alerts.

 

Backups and recovery

A database backup every 24 hours (kept 7 days) and a full snapshot every 7 days (kept 4 weeks), duplicated to a second data center and stored in Azure Vault, with weekly restore checks.

 

Access governance

Access is provisioned and revoked through a controlled onboarding and offboarding process. The security lead and CTO review accounts and permissions every quarter.

 

Internal audits and hardening

We run Burp scans across our flows to surface vulnerabilities and JavaScript injection tests on our APIs, and the technical team runs a hardening cycle every three months.

Authentication and access

Authentication that fits your security posture

Three ways to authenticate users. The right mode depends on how sensitive your guidance is and whether you need per-user analytics. We store only first name, last name, and email.

01

Anonymous auto-login

A reference user grants access to your content with no personal data. Best when you do not need analytics per individual user.

02

Identified auto-login

Pass the signed-in user's details to Lemon through JavaScript variables. Enables per-user analytics, ideal for onboarding programs.

03

Single Sign-On (SSO)

Connect Lemon to your corporate directory through SAML 2.0. Users in your AD or Azure AD are provisioned automatically. Best for large user bases and detailed analytics.

Hosting

Hosted on Microsoft Azure

Lemon Learning's databases, servers, and network infrastructure run on Microsoft Azure, inheriting the security and compliance of its data centers.

Backups are created daily for every database and stored in a dedicated Azure vault, on infrastructure separate from the primary servers.

 
Microsoft Azure infrastructure
 
Daily encrypted backups
 
Continuous infrastructure monitoring
 
Isolated backup storage

Standards and controls we work to

ISO 27001 aligned SSO / SAML 2.0 Encryption in transit and at rest Data minimization EDR-protected endpoints Continuous monitoring

Security questions, answered

Do you store our business data? +

No. Lemon Learning reads only the structure of the page (its HTML), never the content inside it. We store only the user's first name, last name, and email, depending on the authentication mode you choose.

Where is our data hosted? +

On Microsoft Azure. Our databases, servers, and network infrastructure run on Azure, with daily backups stored in a dedicated, isolated Azure vault separate from the primary servers.

Do you support SSO? +

Yes. Lemon connects to your corporate directory through SSO using SAML 2.0. Users in your AD or Azure AD are provisioned into the back office and signed in to the player automatically.

How often do you back up data? +

A database backup runs every 24 hours and is kept for 7 days, plus a full snapshot every 7 days kept for 4 weeks. Backups are duplicated to a second data center, and we run a restore check every week.

How do you protect against attacks? +

Encrypted endpoints with Sophos Intercept X EDR, a managed firewall, Qualys vulnerability scanning, signed authentication-log monitoring, SSL certificate alerts, and a hardening cycle every three months.

Do you run security audits? +

Yes. We run Burp scans across our flows to find and fix vulnerabilities, JavaScript injection tests on our APIs, and a quarterly review of accounts and access rights led by the security lead and CTO.

Talk to our team

Bring your security team. We will bring the answers.

Book a security review and get our full documentation, including our data-handling details and infrastructure controls.