Security & Compliance

Enterprise-Grade Security. Australian Data Sovereignty.

Built from day one with the security requirements of Australian schools. Every architectural decision prioritises student data protection.

Data Sovereignty

100% Australian Data Residency

All school data lives in AWS ap-southeast-2 (Sydney). Database, cache, file storage, backups — nothing leaves Australian shores.

Database & Cache

PostgreSQL RDS and Redis ElastiCache in ap-southeast-2. Multi-AZ for high availability.

File Storage

S3 buckets with SSE-S3 encryption. Bucket policies enforce region lock — no cross-region replication.

Government Ready

Full AWS-only deployment option for government contracts. No third-party SaaS dependencies required.

Data Classification

4-Level PII Classification

Every piece of data is classified at the schema level. Classification determines encryption, access control, AI eligibility, and retention.

Level

Examples

AI Access

Encryption

Public

Examples: School name, campus address, term dates

Full access

Standard TLS + at rest

Personal

Examples: Student names, parent emails, phone numbers

Pseudonymised only

Standard TLS + at rest

Sensitive

Examples: DOB, medical conditions, NDIS plans, allied health

Never sent externally

At rest (RDS/S3)

Restricted

Examples: Counsellor case notes, abuse disclosures

AES-256 encrypted, on-VPC AI only

AES-256 column-level

AI Architecture

On-VPC AI for Counsellor Data

Counsellor notes are processed by a self-hosted Llama 3 model running INSIDE the AWS VPC. Zero internet egress. Zero third-party access.

Standard AI (External)

Public & Personal data only

Names pseudonymised before API call

OpenAI / Anthropic via Vercel AI SDK

Mapping reversed server-side on return

All outputs moderated before delivery

On-VPC AI (Restricted)

Self-hosted Llama 3 inside AWS VPC

No internet egress — air-gapped processing

Counsellor notes, abuse disclosures

AES-256 decrypted only in-memory

Audit log of every inference request

Data Flow Architecture

Source

School Data

Classification

PII Engine

Pseudonymised

External AI

Encrypted

On-VPC AI

Authentication

Self-Hosted Authentication

Better Auth runs inside your VPC. No third-party auth service. Session data stays in your school's database.

Google OAuth

Staff sign in with school Google Workspace

Microsoft OAuth

Azure AD / Microsoft 365 integration

Magic Links

Passwordless email authentication for parents

Two-Factor Auth

TOTP-based 2FA for sensitive roles

Biometric

Face ID / fingerprint on School, Family, and student layouts

SAML SSO

Enterprise SAML for government deployments

Encryption

Defence in Depth

Multiple layers of encryption protect data at every stage — in transit, at rest, and at the field level.

In Transit

TLS 1.3 for all connections. HSTS enforced. Certificate pinning on mobile apps.

At Rest

RDS encrypted with AWS KMS. S3 SSE-S3 for all file uploads. Redis encrypted at rest.

Field-Level

AES-256 column encryption for counsellor notes, medical records. Key rotation every 90 days.

Access Control

26-Role Role-Based Access Control

Every API call checks authentication AND school-scoped authorisation. A teacher in School A cannot access data from School B.

Full Role Hierarchy

PrincipalDeputy PrincipalHead of CampusYear Level CoordinatorClassroom TeacherSpecialist TeacherTeacher AideLearning SupportCounsellorPsychologistSchool NurseAdmin OfficerFinance OfficerRegistrarReceptionistIT AdminChaplainLibrarianCanteen ManagerMaintenanceGroundsBus CoordinatorContractorParent/GuardianStudentSuper Admin

Every procedure checks user.schoolId matches resource.schoolId

Cross-school access only for Super Admin / Support Consultant

Row-level security enforced at the database layer as defence-in-depth

Audit trail on all permission changes

Compliance

Data Retention & Erasure

Compliant with Australian education data retention requirements and privacy legislation.

7-Year Retention

Student records, attendance, financial data, and communications retained for 7 years as required by Australian education regulations.

Student academic records
Attendance history
Financial transactions
Communication archives

Right to Erasure

GDPR-aligned erasure workflow for families. Structured process ensures compliance while maintaining legally required records.

Parent-initiated erasure request
Admin review and approval workflow
Selective erasure (preserves legal minimums)
Cryptographic deletion confirmation

Accessibility

Inclusive by Design

WCAG 2.1 AA compliance across all interfaces. Accessibility isn't an afterthought.

Automated contrast ratio checks in CI pipeline

Keyboard navigation for all interactive elements

Screen reader-optimised ARIA labels

Colour-blind safe data visualisations

Reduced motion support throughout

Large text and zoom-friendly layouts

Certifications

Certification Roadmap

Working toward industry-standard security certifications and government panel listings.

NSW DoE Panel

Feb 2027

In progress

VIC DET Panel

May 2027

Planned

ISO 27001

Aug 2027

Planned

SOC 2 Type II

Feb 2028

Planned