Security & Privacy
Edsthetic was built in and for Australian schools. Every security and privacy decision reflects the obligations and expectations of the Australian education sector - from the Privacy Act 1988 (Cth) to the sensitivity of NCCD disability data.
Both Writeiq and Allocateiq are built on the same security infrastructure. There is no separate “secure version” - security is the default at every layer. The architecture is designed for the Australian school context, where student data includes sensitive categories (disability classifications, learning support records) and must be handled with corresponding care.
All data at rest is stored in AWS Sydney (ap-southeast-2). Writing submissions sent for assessment are processed via Anthropic's API, which may execute outside Australia. For typed submissions no student, class, or school identifiers are included. For scanned submissions (Writeiq Vision add-on), the scanned page is sent to Anthropic along with whatever the student wrote at the top (typically a name, or a student ID if the school prefers). Anthropic's DPA prohibits training on API data and states that data is not retained beyond request processing. Databases, file storage, and all stored school data remain in AWS Sydney.
All data is encrypted at rest using AES-256 managed by AWS. All data in transit uses TLS 1.2 or higher. HTTPS is enforced on every endpoint - no unencrypted connections are accepted at any layer. Database connections use TLS with certificate verification.
Every school's data is isolated at the database layer using Supabase row-level security (RLS). Nine tables are fully locked - no open policies exist. Data isolation is enforced by the database itself, not by application logic alone. No school can access another school's data under any circumstances.
All staff and coordinator PINs are hashed using PBKDF2-SHA-256 with a unique random salt generated per account at the time the PIN is set. Iteration count is 600,000 (OWASP 2023 baseline). Plaintext PINs are never stored, logged, or transmitted after hashing. PIN verification happens server-side in dedicated edge functions — the client never reads stored hashes. Brute-force protection enforces a five-attempt lockout per account, scoped by IP. Session tokens are server-signed JWTs; clients cannot forge or extend them.
Students access Writeiq via class code only - no personal account, no email address, no password is required or collected. Only first name and year level are stored unless the school provides additional identifiers. Student writing submissions are stored per school and are not accessible across schools.
Student submissions, Education Support Specialist records, writing assessment data, and all school data are never used to train any machine learning or AI model - internal or external, including Anthropic models. This is a hard contractual commitment in the Data Processing Agreement, not a policy subject to revision.
All pages are served with HSTS (2 years, includeSubDomains, preload), Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. These headers are enforced at the CDN layer (Netlify) before requests reach the application.
NCCD data includes student disability categories (QDTP, Supplementary, Substantial, Extensive), specialist assignments, and program records. This constitutes sensitive information under the Privacy Act. Allocateiq treats all NCCD data as sensitive - access is role-based, data is encrypted, and no NCCD data is shared with third parties.
Writeiq is designed for whole-school simultaneous marking. Each school has a dedicated traffic allocation sized to its licence tier, which means one school's peak traffic cannot affect another school's service. In the rare event of an unusual spike — for example, every staff member submitting at the same moment during a large assessment event — requests queue briefly and display a progress indicator rather than failing. No staff action is required; the platform recovers automatically within seconds.
Edsthetic is an Australian business serving Australian schools. Our compliance obligations and commitments reflect both federal and state-level privacy legislation.
| Obligation | Framework | How Edsthetic meets it |
|---|---|---|
| Australian Privacy Principles (APPs) | Privacy Act 1988 (Cth) - 13 principles | Privacy Policy at /privacy. Data breach notification within 72 hours under the Notifiable Data Breaches scheme. DPA available for school sign-off. OAIC-compliant. |
| Sensitive information handling | APP 3, APP 6 - disability data is sensitive information | NCCD disability categories in Allocateiq are treated as sensitive information. Access is role-restricted. No secondary use without consent. Not disclosed to third parties except as required for service delivery. |
| Notifiable Data Breaches | Part IIIC, Privacy Act 1988 (Cth) | Schools notified within 72 hours of a breach likely to cause serious harm. Incident response plan maintained. OAIC notified as required. |
| Victorian Privacy and Data Protection | Privacy and Data Protection Act 2014 (Vic) | Data handling consistent with Victorian Information Privacy Principles for schools operating under the Victorian Department of Education framework. |
| NSW Privacy obligations | Privacy and Personal Information Protection Act 1998 (NSW) | NSW schools: data handling consistent with Information Protection Principles. Health Privacy Principles apply to disability-related data. |
| Data Processing Agreement | School as data controller, Edsthetic as data processor | DPA available as a downloadable PDF. Defines roles, data types processed, retention periods, deletion rights, and incident response obligations. Schools can request the DPA before signing any agreement. |
| Right to deletion | APP 13 - correction and deletion | Schools may request deletion of all school data at any time. Data is fully deleted within 30 days of a valid deletion request. Off-boarding process documented in the DPA. |
| Third-party processing | APP 8 - cross-border disclosure | Data is processed by Supabase (US parent company, Australian infrastructure). Supabase processes data solely as directed and is bound by equivalent obligations under their Data Processing Agreement with Edsthetic. Anthropic processes writing submissions through the Supabase edge function for intelligent lesson plan generation only - submissions are not retained by Anthropic. |
These are not terms that can be changed through a policy update or a new version of the privacy policy. They are contractual commitments made in the Data Processing Agreement signed with each school.
| We never | Why this matters for schools |
|---|---|
| Use student data for advertising | No student profile, behaviour, or writing data is used to serve, target, or optimise advertising - for any product, from any company, including Edsthetic. |
| Train AI models on school data | Student writing submissions, assessment results, Education Support Specialist schedules, and NCCD data are not used to train any model. Anthropic’s API usage policy independently prohibits use of API-submitted data for model training. Student writing sent for marking is processed transiently and not retained. |
| Sell or share data with third parties | School data is not sold, licensed, or shared with any third party for commercial purposes. Subprocessors (Supabase, Anthropic, Netlify, PostHog, Sentry) operate under binding data processing agreements. Parent report emails are sent from the teacher’s own school email address - no third-party email service is used and no data leaves Writeiq for email delivery. |
| Store plain-text credentials | No PIN, password, or authentication credential is ever stored in plain text. All credentials are one-way hashed with PBKDF2-SHA-256 (600,000 iterations) using a unique random salt generated per account. Hashes are verified server-side; clients never read stored hashes. |
| Route data outside Australia | School data at rest is stored in AWS Sydney (ap-southeast-2). Database queries are processed within that region. Edge functions (licence validation, email delivery) run on Supabase’s globally-distributed compute layer; function execution may occur in the nearest available node. Writing submissions sent for intelligent assessment are processed by Anthropic’s API in the United States. For typed submissions no student, class, or school identifiers are sent. For scanned submissions (Writeiq Vision add-on) the image is sent along with whatever the student has written at the top of the page (typically a name, or a student ID if the school prefers); Anthropic does not retain this data beyond request processing per their API DPA. Parent report emails are generated in the browser and sent from the teacher’s own email client — no email content leaves Writeiq servers. |
| Retain data after deletion requests | Following a valid school deletion request, all school data is permanently deleted within 30 days. No backup copies are retained beyond that period. |
Schools handle some of the most sensitive personal data in the community - children's learning records, disability classifications, and wellbeing information. Edsthetic is designed specifically for this context.
Writeiq scans student writing submissions for content that may indicate the student is at risk. Submissions flagged by safeguarding detection are held for teacher review before feedback is shown to the student. Teachers cannot disable this check.
Students access Writeiq via a class code. No Google account, no email, no personal login is required. This means no Google or Microsoft account data is associated with student submissions. First name only - collected from the student themselves at the point of access.
Disability categories in Allocateiq (QDTP, Supplementary, Substantial, Extensive) are sensitive information under the Privacy Act. Access to NCCD data is role-restricted to coordinator and leader roles. Student NCCD data is not visible to Education Support Specialists in their day-view schedule.
Both products operate on a multi-role model. In Writeiq: student, teacher, leader, and admin roles have separate access scopes. In Allocateiq: coordinator, learning support, and read-only roles are separated. Cross-school data isolation is enforced at the database layer by Supabase row-level security. Intra-school role separation (for example, a teacher not being able to read a coordinator's PIN) is enforced by server-side edge functions that verify PINs with the service-role key — PIN hashes are never returned to the browser.
Authentication sessions are server-signed JWTs with a short expiry (8 hours for staff and LSO sessions, 24 hours for admin panel operators). Tokens are issued fresh on every successful login. Clients store the token but cannot forge or extend it — the signing key lives only on the server. PIN hashes are never returned to the client. Brute-force lockout is enforced server-side at five failed attempts and cannot be cleared by the user.
A school-ready DPA is available for download and review before signing any agreement with Edsthetic. It defines: data types processed, legal basis, retention periods, deletion rights, subprocessors, incident response timelines, and Edsthetic’s obligations as data processor. Download DPA →
Edsthetic uses five subprocessors. Each is bound by a data processing agreement that reflects our obligations to schools. Two (Supabase and Anthropic) process school data directly; the remaining three (Netlify, PostHog, Sentry) process infrastructure and operational telemetry only, with no student content.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase / AWS | Database, authentication, edge functions, file storage | All school data: student records, writing submissions, Learning Support schedules, NCCD data, staff credentials | AWS ap-southeast-2 (Sydney, Australia) |
| Anthropic (API) | Intelligent writing assessment (Writeiq engine), scanned handwriting transcription (Writeiq Vision add-on), and lesson plan generation (Teach Next) |
Typed writing assessment: student writing text, writing type, year level, scoring criteria. No student names, class names, or school identifiers are included. Scanned writing (Writeiq Vision, add-on): a base64-encoded image of the scanned page plus an instruction to transcribe the student’s writing. Because each page needs to be matched back to the correct student, whatever the student has written at the top of the page — typically their name, though a student ID number is equally supported — is read and returned so the transcription can be associated with the right record. Schools that prefer to avoid sending names can instruct students to write a student ID on their page instead; Writeiq will match on the ID the same way. Vision is an optional add-on and can be turned off entirely. Lesson plans (Teach Next): writing type, year level, criterion, band, genre, and optional unit topic. No student, class, or school identifiers. |
Processed via API in the United States. Anthropic’s API Data Processing Agreement prohibits the use of API-submitted data for model training and states that data is not retained beyond request processing. |
| Netlify | Application hosting and CDN | No school data. Static file serving only. Access logs (anonymised IP, request path) subject to Netlify’s privacy policy. | United States (CDN global). No personal data stored beyond standard access logs. |
| PostHog | Product analytics (anonymous usage events) | No student data. No submission content. No staff names or PINs. Captures only anonymous page-view events and navigation (tab-switching) events from the admin panel and marketing site, tied to an auto-generated anonymous identifier. Used to understand how schools navigate the product so we can improve it. | Processed via EU-region PostHog infrastructure. PostHog’s own DPA applies. |
| Sentry | Error monitoring and crash reporting | No student content. No submission text. Error messages and stack traces from the four products (marketing site, Writeiq, Allocateiq, admin panel) when something fails. Before transmission, a client-side scrubber removes PIN hashes, licence keys, authorisation headers, and any text field containing student names. Data retained 90 days from capture. | Processed via US-region Sentry infrastructure. Sentry’s own DPA applies. |
The following policies set out our commitments in detail. All are reviewed at least annually.
How we handle deletion requests, licence expiry, pilot termination, and backup retention. Aligned with APP 11.2. Read policy →
How we detect, contain, and notify on security incidents. Aligned with the Notifiable Data Breaches scheme. Read plan →
A 15-minute practical guide for coordinators, teachers, and LSOs. Schools should ensure all staff read this before first use. Read training →
The formal DPA governing the processing of school data. Signed before any paid contract is executed. Download PDF →
Security reviews, DPA requests, data deletion, or incident reporting - contact us directly.