Quality & auditability
Security-training software has to be built cleanly itself.
A security-awareness platform that is sloppily built is a contradiction in terms. That is why quality is not an afterthought for us — it is a mandatory gate before every release, even the smallest hotfix.
The Chain of Trust
Every change passes through the same chain of five responsibilities. No link is skipped — not even for "small and quick".
- 1Code Reviewer
Code review
House rules, correctness and consistency across both languages — including a check that no link or button leads nowhere.
- 2Compliance Officer
Compliance
New dependencies, outbound network traffic, personal-data flows and asset provenance are reviewed on every change.
- 3Test / QA Engineer
Tests
Every new logic path needs a test. Pages are verified in both languages; shared logic is unit-tested for the happy path and edge cases.
- 4Release Engineer
Pre-flight
An automated build, asset-size and visual check runs in both languages. On a visual bug we stop instead of patching over it.
- 5Tech Lead
Integration & release
Consolidation, staged merge and a release log — so it is always traceable who shipped what, and when.
Quality you can measure
At ValidLearn, quality isn't a claim — it's a number. Every code change passes through several automated checks before it goes live: automated tests on backend and frontend, continuously measured test coverage with fixed minimum thresholds, ongoing security scans, and end-to-end tests that click through the app like a real user — in both languages.
We keep the progress transparent: the number of tests grows continuously, and measured coverage rises sprint over sprint instead of stagnating. Security gaps aren't just fixed — each one is permanently locked down by its own counter-test. In our most recent hardening sprint, open findings went from eight to zero.
Automatically checked before every release
Before every deploy, a mandatory pre-flight gate runs — the same script locally and in the pipeline. As long as a single check is red, no release leaves our pipeline. A full continuous-integration pipeline that checks every change automatically is currently being rolled out across all repositories.
An automated gate that blocks faulty releases
Before any "ship it", a single pre-flight script runs build, asset-size, migration and SEO checks. A failing check stops the release — there is no override. The same script runs locally and in the pipeline, so the check is identical everywhere.
Test-first, by default
We write the test before the implementation, especially for new features. A test has to prove behaviour — that the attack now fails, that the translation actually appears — not just that some pattern exists in the source. Code without a matching test does not get merged.
Data minimisation — concretely
The marketing site is statically generated: no backend, no login, no tracking, no analytics SDK, no external fonts or CDNs.
It sets exactly one functional cookie — your language choice. Nothing else is stored about you.
Inside the platform, the public endpoint exposes only what is strictly needed, and logs are checked for personal-data leaks.
An audit trail you can actually follow
Certificate-relevant events are recorded append-only — they can be read back, never silently rewritten.
Learning content is versioned as plain text in Git instead of living in a black-box CMS.
Every deploy is captured in a release log, so the history of what went live stays transparent.
A living process
The Chain of Trust is not set in stone. We review it after every larger sprint, learn from what slipped through, and tighten the gates over time — quality as a habit, not a one-off.
See the platform for yourself
No signup required — explore the demo and judge the quality first-hand.
Start demo login