# Your data is protected. Your trust is earned.

Coursebox is built on enterprise-grade security. From how we handle your AI data to where we host your platform, every decision is made with your privacy in mind.
## Security built into every layer

We don't bolt security on as an afterthought. It's engineered into how Coursebox works — from the AI models we use to the infrastructure we run on.

### GDPR Certified

Coursebox Pty Ltd is formally assessed and certified for GDPR compliance by AQSR (accredited by USAC). Certificate #17412, valid through June 2026. All personal data is handled lawfully, fairly, and transparently.

### Your data stays yours

Your course content, learner data, and proprietary materials are never used to train public AI models — not by Coursebox, and not by any of our AI providers. This is contractually assured.

### Enterprise-grade hosting

Every Coursebox portal is hosted on OVH France — ISO 27001-certified data centres with redundant infrastructure, daily backups (14-day retention), and full GDPR compliance. Enterprise clients can add Google Cloud hosting.
## Powered by Azure OpenAI — not the public API

In June 2024, Coursebox moved all AI features to Microsoft's Azure OpenAI Service — a private, enterprise-grade environment. Unlike the public OpenAI API, Azure OpenAI means:

Your data is not used to retrain any models

Built-in protections against data leakage and unauthorised access

GDPR-aligned data storage and handling

Backed by Microsoft's global datacentres with high uptime and resilience

Options for organisations to set boundaries around AI usage
## Responsible AI, by design

We think carefully about how AI is used in Coursebox — and we are transparent about it.

### Human-in-the-loop publishing

All AI-generated course content is reviewed and edited by course admins before any learner sees it. You stay in control of what gets published — AI is your assistant, not the decision maker.

### No AI training on your data

Coursebox's policy: customer content and learner data are never used to train or fine-tune AI models unless explicitly agreed in writing. All AI providers we use are held to the same standard.

### EU AI Act compliant (from Aug 2026)

From 2 August 2026, Coursebox will enable AI disclosure notes for interactive AI features (AI Tutor, grading), machine-readable markers for AI-generated content, and contextualised notes for AI-generated video.
## Our AI providers and their data commitments

Every AI provider Coursebox uses is evaluated for security posture, data handling, and enterprise compliance before integration.

**Microsoft Azure OpenAI** — AI writing, tutoring, and content generation. Microsoft confirms Azure OpenAI does not use customer data to retrain models.

**Google Gemini Pro** — AI image generation. Image prompts and responses are not used to train Google's models.

**Microsoft Azure Neural TTS** — AI voiceovers. Processed within Microsoft's secure cloud. Data is not used to retrain public models.

**HeyGen** — AI avatar video. HeyGen confirmed in writing (26 Feb 2026) that Coursebox's Enterprise API account is fully opted out of model training and removed from all data training pipelines.

**Chatbase** — Support chatbot. Customer data is not used to train public foundation models. Data is processed only to provide responses within your environment.

**Mistral** — Document image extraction. Processing is performed via secure API. Extracted content stays within your Coursebox environment and is not used to train external models.
## Hosting built for compliance

Every Coursebox portal runs on infrastructure designed to meet the highest standards of security and data protection.

### OVH France (default — all plans)

ISO 27001-certified European cloud hosting. Meets GDPR and EU data protection regulations. Redundant infrastructure with daily backups retained for 14 days. High availability and scalable performance.

### Google Cloud (Business & Enterprise add-on)

Need hosting closer to your learners or aligned with existing enterprise infrastructure? Business and Enterprise clients can select Google Cloud hosting in regions outside France.

### Data transfer safeguards

Where personal data is transferred outside the EU/EEA, Coursebox ensures adequate protections through Standard Contractual Clauses (SCCs) and GDPR-compliant cloud providers.
## Security questions, answered

**Does Coursebox use my data to train AI models?**

No. Coursebox's policy is that customer content and learner data are never used to train or fine-tune AI models unless explicitly agreed in writing. This applies to Coursebox and all our AI providers, including Microsoft Azure OpenAI, Google Gemini Pro, and HeyGen.

**Where is my data hosted?**

By default, all Coursebox portals are hosted on OVH France — an ISO 27001-certified European cloud provider that meets GDPR requirements. Business and Enterprise clients can add Google Cloud hosting in other global regions.

**Is Coursebox GDPR compliant?**

Yes. Coursebox Pty Ltd is formally certified for GDPR compliance by AQSR, accredited by the United States Accreditation Council. Certificate Number: 17412, valid through June 2026. You can verify this at www.aqsrworld.com.

**How is data protected in transit and at rest?**

All data transmitted between users and Coursebox is encrypted using TLS. Data stored on Coursebox infrastructure is encrypted at rest.

**Why did Coursebox move from OpenAI to Azure OpenAI?**

We transitioned in June 2024 to give clients greater assurance over data privacy. Azure OpenAI runs within Microsoft's private enterprise cloud — your data never passes through shared public infrastructure and is contractually confirmed to not be used for model retraining.

**What happens with HeyGen AI video features?**

HeyGen has formally confirmed in writing (26 February 2026) that Coursebox's Enterprise API account is fully opted out of model training and removed from all data training pipelines.

**Do I need to disclose AI use to learners?**

From 2 August 2026, Coursebox will comply with EU AI Act Article 50 requirements — enabling AI notes for interactive features, machine-readable markers for AI-generated content, and disclosures for AI-generated video. For SCORM, LTI, or iframe deployments, the course publisher is responsible for learner-facing disclosures.

**Can I verify Coursebox's GDPR certification?**

Yes. Visit www.aqsrworld.com and search using Certificate Number 17412 to independently verify Coursebox's GDPR compliance certification.
## Have security questions?

Contact our team at support@coursebox.ai or read our full Privacy and Data Protection documentation.

### Full privacy documentation

Read our complete Privacy and Security policy — including platform architecture, GDPR compliance, responsible AI practices, and third-party provider data commitments.

### Annual GDPR assessments

Our GDPR certification is subject to annual assessment by AQSR to ensure ongoing compliance as regulations and AI capabilities evolve.

### Enterprise security reviews

Need a security questionnaire, Data Processing Agreement, or procurement documentation? Contact your Coursebox Account Manager or reach out at support@coursebox.ai.