HT2 Limited

Learning Locker - Learning Record Store (LRS)

xAPI ready, Learning Locker connects systems together, proves impact of training and allows for informed decisions on future learning design. Create a single point of reporting for all learning and performance and visualise data with customisable dashboards. Scalable, affordable and able to integrate with your existing L&D software.


  • xAPI-ready to track online and offline learning activity
  • Non-xAPI Integrations send data into the Learning Record Store
  • Multiple LRS: Create as many as you’d like
  • Customisable Dashboards create actionable dashboard data in minutes
  • Manage user identities: automatically reconcile users with multiple IDs
  • Advanced Query Builder: make every field stored available for query
  • Quick Data Visualisation: Bar charts, column charts, you name it
  • Create Personas to deepen your search query results
  • Numerous Apps including GDPR compliance, CSV to xAPI and more
  • Statement Forwarding: send your data to another LRS/3rd party


  • Enable an L&D ecosystem that goes beyond the LMS
  • Link activity and performance to understand what drives top performers
  • Personalise learning to increase engagement
  • Highlight expertise to boost levels of morale and lower turnover
  • Share data with learners to understand performance using quantified-self measures
  • Standardise data structure
  • Sharing data from multiple sources acting as a single source
  • Avoid vendor lock-in by storing data outside of the LMS
  • Switch between LRSs for truly flexible data visibility
  • Optimise performance based on up-to-the-minute learner data


£7500 to £30000 per instance per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

3 6 8 7 8 9 5 9 0 0 3 0 0 3 1


HT2 Limited

Alan Betts


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Learning Locker will work on all modern browsers and systems
  • A connection speed of 20Mbps recommended for some content types

User support

User support
Email or online ticketing support Email or online ticketing
Support response times HT2’s SLA is based upon working hours of 9am - 5pm, Monday to Friday in the UK, excluding public holidays. Priority response times are in four categories P1, P2, P3, and P4. Response times are 1, 2,3 and 4 hours respectively.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support No
Support levels Support and hosting is included in the licence fees.

The Customer may log new support queries using HT2’s automated email Helpdesk system at:
Alternatively, the Customer may contact the HT2 Account Manager.

We also have a dedicated Customer Success Manager to help companies get started and as needed throughout the contract.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started New Learning Locker clients are provided with full set-up, training and customisation.

Generally, a new organisation will go through the following steps with us:
We create instances for them as required (staging, production etc).
We train them and assist in building queries and visualisations.
We train them in administration - user management etc.
We ensure that their data sources are xAPI compliant, helping achieve this through custom development work where required.

We work closely with them through implementation and set up, and then as required through the contract.

We are able to provide onsite or remote training, and there is extensive user documentation, a user community, and user support available at:
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction We have a specific GDPR app that allows an individual's data to be quickly queried, returning all data held, for transfer/inspection by the individual, and/or deletion.
End-of-contract process Data can be exported and transferred to the organisation in whichever format is most suitable, usually CSV.

Users are then removed, organisation deleted, all data deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API Everything is accessible via API - the service is API-driven.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation We work closely with all clients to set up as per their requirements.


Independence of resources All systems are monitored and have the ability to autoscale services based on demand.


Service usage metrics Yes
Metrics types Yes, monitored by us, available to client on request.
Total amount of data stored.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Organisations are able to export their data via CSV, an individual user's data can be quickly queried via our GDPR app for export.
Data export formats
  • CSV
  • Other
Other data export formats XAPI
Data import formats
  • CSV
  • Other
Other data import formats XAPI (RESTful method)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability HT2 guarantees that the Service will be available to the Partner for not less than 99.5% of each calendar month (where a calendar month is considered to be 730 hours), excluding known maintenance windows and scheduled downtime. Where the service must be taken offline for maintenance, HT2 will endeavour to give the Partner at least five working days notice. In certain circumstances, such as in the event of a security concern, it may be necessary to take the service offline at less notice. Where possible, maintenance will be performed outside of core business hours, either at evenings or weekends. Service downtime during these windows will always be kept to an absolute minimum; typical maintenance windows last around 15 minutes. HT2 will notify the Partners named representative of all maintenance windows and schedules.
Approach to resilience At every stage all services are built with redundancy in mind. Whether it be load balancing application servers, or replica/slave database setups. We also ensure that where we have multiple instances of hardware for failover that they exist across different physical zones.
Outage reporting Clients are notified via email, either to business contact or specified emergency contact for outages.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Our stance is one of ‘least privileges’ with personnel being granted only the minimum data access required to perform their role on a given task. These processes govern our operating processes, from the physical security of the buildings in which we work, to the security practices we follow in writing and deploying applications.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Assessment Bureau
ISO/IEC 27001 accreditation date 02/09/2013
What the ISO/IEC 27001 doesn’t cover S9.4.4 Use of Privileged utility programs.
We do not use Privileged utility Programs that might be capable of overriding system and application controls as such there is no process in place to restrict or control such system.

s10.1.1 and s10.1.1 We apply encryption externally according to the needs of our customers. However it is felt inappropriate to do the same internally as the ability to use data is central to many of the tasks we undertake internally.

s11.1 Data is stored on our third party cloud providers with extensive security provisions in place. As a result of this and a policy of not storing special personally identifiable information locally on clients our offices do not have a physical security perimeter other than lockable, controlled entrance.

s14.2.7 Supervision of outsourced system development - this is not considered required since we do not outsource such development.

s14.3.1 - Test data selection. Our clients select test data to test system integration and setup. As a result we do not have a policy around test data selection.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Privacy Shield

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes As part of our ISO27001 we defined our Information Security Management systems policy which is appended to this application. Our Data Security Officer and ISO manager reports directly to the Chairman of the Board of Directors.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The Senior Management Team control any potential changes, this is then delegated to a responsible person as a “project manager”.

He will conduct a “research background” to determine the feasibility of changes with regards to:-

Purpose of the change
Any potential consequences
Integration of the quality management system
The availability of resources
The allocation or reallocation of responsibilities and authorities
Technical Skills

Once completed this then forms part of the Management Review together with including within the internal audit schedule.

All code is published through version control and goes through both peer code reviews and then QA.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We commission annual penetration testing by NCC Group Trust and develop our solution following OWASP guidelines.

Critical security patches applied as soon as possible as part of managed hosting agreements. Minor patches are applied as part of regular update patterns, which are typically applied once per month.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We manage potential compromises by exception. We get system notifications for unusual traffic etc. from our third party provider. Rackspace/ AWS employs an IDS at the perimeter of its network with 24/7 active monitoring. In addition we deploy New Relic monitoring tools at our application layer. This is monitored by HT2 staff.
Incident management type Supplier-defined controls
Incident management approach Incidents are defined as part of our Business Continuity and Disaster Recovery Plan that is being tested at least once a year. We further have a Data loss prevention strategy that outlines our approach to a Data incidents. Our Data Security Officer will contact customers of a (potential) data loss. The reports are given in writing via email.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £7500 to £30000 per instance per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The service is available free for 30 days, allows full use of SaaS (subject to acceptable use policy).

Service documents

Return to top ↑