At MobieTrain, we prioritize ease of access for frontline workers while maintaining a responsible approach to platform security. This article outlines key aspects of how access, user roles, and data protection are managed within our system.
🔑 Access & Authentication
Is access protected by username and password?
Yes. Access to the MobieTrain platform (both CMS and App) is managed via username and password.
Can we enforce Multi-Factor Authentication (MFA)?
MobieTrain does not offer built-in MFA at this time. However, clients can enforce MFA through third-party Single Sign-On (SSO) solutions, such as Microsoft Entra (formerly Azure Active Directory). When configured, the MFA policy applied in Entra will be enforced for both CMS and App users.
🔐 Password Policy
What is the current password policy?
We currently allow very simple passwords (e.g., as short as 5 characters).
This is by design: our platform is built for a broad range of users, including those with low digital or general literacy levels, such as frontline workers in retail or hospitality. Strict password requirements would introduce a significant barrier to entry for many of these users.
That said, for enhanced security:
We recommend clients use SSO for CMS users and other critical roles.
You can implement your own identity policies via SSO/MFA for all users.
👥 User Management
How are users onboarded and offboarded?
➡️ (To be completed by Sven)
We recommend documenting how you integrate with HR systems, bulk upload options, invite flows, and user deactivation.
🧑💼 Role-Based Access Control
Is role-based access supported?
Yes. Role-based access is available in the CMS (Content Management System).
There are two primary CMS roles:
Admin – Full access to manage users, content, and settings.
Store Manager – More limited access, typically restricted to viewing/reporting or managing users in specific groups.
In the App, there are no roles—access to content is determined by User Groups.
🧩 User Groups: Controlling Access to Content
Each App user belongs to one or more User Groups, which determine which learning content they can access. These groups are highly flexible and can be based on:
Country
Job role
Store location
Training track
Or any custom structure defined by the client
This system allows precise control over who sees what content, while keeping the interface simple for end users.
👤 Account Management
Who can create or remove accounts?
Only users with the Admin role in the CMS can:
Invite new users
Create/delete accounts
Assign users to User Groups
Users invited to the App will complete their onboarding by setting their password and filling in personal info (e.g., name, email, phone).
🔗 Can we use Microsoft Entra ID (formerly Azure AD)?
Yes. Microsoft Entra ID (SSO) can be used as the identity provider for both:
Admins accessing the CMS
End-users accessing the App
This enables centralized identity management and MFA enforcement on your side.
🔏 Data Privacy & Minimal Personal Data
MobieTrain was designed with accessibility and privacy in mind. The only personal information we store is:
First name
Last name
Email and/or phone number
This minimal data model supports our mission of inclusivity and usability for all employees, especially those without regular computer or email access.
🛡️ Platform Security Practices
We take platform security seriously and follow industry best practices:
Penetration Tests: Conducted twice per year by independent security firms
Vulnerability Response: All findings are assessed and addressed. Any open issues are accepted risks based on our platform model.
Compliance Documentation:
ISO 27001 Certificate
GDPR compliance documentation
Latest pentest results
Available upon request.
📋 Technical Clarifications from Recent Security Review
1. X-Frame-Options
This is intentionally left out to allow clients to embed MobieTrain within internal platforms/intranets. It is a valid business case.
2. Referrer Policy
Not flagged in our most recent pentest, but we will review and address if needed.
3. Permissions Policy
Also not flagged, but under review based on recent feedback.
📩 Need More Info?
We’re happy to provide further documentation or assist with integration planning. Please contact your Customer Success Manager who can , if needed, check your questions with our Security & Compliance Team.