Security and Reliability

ecLearn relies on a tech stack consisting of multiple technologies:

  • Microsoft Power Apps
  • Microsoft Azure Cloud Computing Services, including:
    • App Service
    • Key Vault
    • Blob Storage
  • SCORM Cloud

Microsoft Power Apps

The first core component of ecLearn is our Dataverse solution.

This solution includes a dedicated security role that is assigned to an S2S App User (an app registration in your Microsoft Entra ID tenant) used by our API to connect to your Dataverse environment. This role contains only the necessary permissions to make our app work, but it is up to your administrators to ensure that this role is applied correctly to the S2S App User.

Your data remains in your database, with two exceptions:

  1. We store certain settings required by our API to connect to your Dataverse environment in our database. Sensitive data such as client secrets are stored in our Azure Key Vault (see below for more details)
  2. We store anonymized data about your Course Registrations in order to track usage for billing purposes:
    • Course ID (ec_courseid) from your Course table
    • Registration ID (ec_courseregistrationid) from your Course Registration table
    • Learner ID (ec_learnerid) from your Learner table
    • The date a learner initially accessed a course
    • The first date of every month that a learner accessed a course

In both cases, access to this data in our system is secured using Power Apps security roles.

For more information about Power Apps security, see Security in Microsoft Power Platform.

Azure App Service

The second core component of ecLearn is our API, hosted in Azure App Services.

This API is the link between your Dataverse environment, with your Courses and Learners, and SCORM Cloud, our Learning Record Store (LRS). In order to authenticate your users, including both Learners and Course Authors, as well as to create and update certain records in your environment, our App Service requires limited access to work with your Dataverse data.

When you save your connection and configuration details, our API stores sensitive details in Azure Key Vault, and reads this data when your course authors publish new courses, or when learners launch courses from either Dataverse or a Power Pages website. The API uses Finbuckle Multitenant to keep requests to your data separate from other ecLearn customers, and it authenticates those requests using your own OAuth configuration to ensure that only authorized users from your organization can work with that data.

Availability of the ecLearn API is primarily governed by Microsoft Online Services’ SLA. From time to time, our API may need to be updated in order to apply necessary bugfixes or add new features. In such an event, the API may be temporarily unavailable for limited duration.

Azure Key Vault

In order to effectively secure the sensitive data, such as App Registration client secrets, that the ecLearn API requires to connect and authenticate to your Dataverse environment, we store secrets in Azure Key Vault. This data is read as required by our API. Access to the Key Vault is limited to essential administrators in our Azure tenant.

Azure Blob Storage

The ecLearn application uses Blob Storage as a temporary holding location for Course files uploaded from your Dataverse environment. In order to accomodate large file uploads, ecLearn uploads your files in chunks, and then transmits them from there to the SCORM Cloud LRS to be made available for your Learners. After SCORM Cloud has finished retrieving the files from Blob Storage (or in the event of an error doing so from SCORM Cloud), the files are deleted. We do not retain those files.


The final core component to ecLearn is SCORM Cloud, the Learning Record Store (LRS) that stores and serves your courses to your learners.

Within SCORM Cloud, your organization will be assigned to its own app with its own access key, stored in our Key Vault. This way, each ecLearn customer’s course and learner data will be separate from every other, and cannot be accessed by any other organization using ecLearn.

SCORM Cloud requires certain data to be transmitted and stored in its system:

  • Courses – SCORM Cloud stores your entire course, along with any other files that have been embedded into the Course itself. Courses created using ecLearn’s “Create My Own” course editor do not include embedded images and will only contain whatever Course configuration you specify using the editor. Courses uploaded to ecLearn are stored in SCORM Cloud as-is. SCORM Cloud needs to be able to read and display certain details about your course as well, in particular the course title and description.
  • Learners – SCORM Cloud stores whatever data it is sent about your learners, including their course results. ecLearn only sends anonymized data about learners to SCORM Cloud (the Learner ID from the Learner table in your Dataverse environment).

For more information about SCORM Cloud’s security, infrastructure, and availability, see SCORM Cloud infrastructure.

Back to top