Security & Privacy
Edsthetic was built in and for Australian schools. Every security and privacy decision reflects the obligations and expectations of the Australian education sector — from the Privacy Act 1988 (Cth) to the sensitivity of NCCD disability data.
Both Writeiq and Allocateiq are built on the same security infrastructure. There is no separate “secure version” — security is the default at every layer. The architecture is designed for the Australian school context, where student data includes sensitive categories (disability classifications, learning support records) and must be handled with corresponding care.
All data is stored in AWS Sydney (ap-southeast-2). Your data never leaves Australia. Supabase infrastructure in the Sydney region meets Australian data sovereignty requirements. No data is routed through overseas servers during normal operation.
All data is encrypted at rest using AES-256 managed by AWS. All data in transit uses TLS 1.2 or higher. HTTPS is enforced on every endpoint — no unencrypted connections are accepted at any layer. Database connections use TLS with certificate verification.
Every school's data is isolated at the database layer using Supabase row-level security (RLS). Nine tables are fully locked — no open policies exist. Data isolation is enforced by the database itself, not by application logic alone. No school can access another school's data under any circumstances.
All coordinator and LSO PINs are hashed using SHA-256 with a unique salt per account before storage. Plain-text credentials are never stored, logged, or transmitted. Brute-force protection enforces a lockout after five failed attempts. Session tokens are rotated on authentication.
Students access Writeiq via class code only — no personal account, no email address, no password is required or collected. Only first name and year level are stored unless the school provides additional identifiers. Student writing submissions are stored per school and are not accessible across schools.
Student submissions, LSO records, writing assessment data, and all school data are never used to train any machine learning or AI model — internal or external, including Anthropic models. This is a hard contractual commitment in the Data Processing Agreement, not a policy subject to revision.
All pages are served with HSTS (1 year, includeSubDomains), Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. These headers are enforced at the CDN layer (Netlify) before requests reach the application.
NCCD data includes student disability categories (QDTP, Supplementary, Substantial, Extensive), LSO assignments, and program records. This constitutes sensitive information under the Privacy Act. Allocateiq treats all NCCD data as sensitive — access is role-based, data is encrypted, and no NCCD data is shared with third parties.
Edsthetic is an Australian business serving Australian schools. Our compliance obligations and commitments reflect both federal and state-level privacy legislation.
| Obligation | Framework | How Edsthetic meets it |
|---|---|---|
| Australian Privacy Principles (APPs) | Privacy Act 1988 (Cth) — 13 principles | Privacy Policy at /privacy. Data breach notification within 72 hours under the Notifiable Data Breaches scheme. DPA available for school sign-off. OAIC-compliant. |
| Sensitive information handling | APP 3, APP 6 — disability data is sensitive information | NCCD disability categories in Allocateiq are treated as sensitive information. Access is role-restricted. No secondary use without consent. Not disclosed to third parties except as required for service delivery. |
| Notifiable Data Breaches | Part IIIC, Privacy Act 1988 (Cth) | Schools notified within 72 hours of a breach likely to cause serious harm. Incident response plan maintained. OAIC notified as required. |
| Victorian Privacy and Data Protection | Privacy and Data Protection Act 2014 (Vic) | Data handling consistent with Victorian Information Privacy Principles for schools operating under the Victorian Department of Education framework. |
| NSW Privacy obligations | Privacy and Personal Information Protection Act 1998 (NSW) | NSW schools: data handling consistent with Information Protection Principles. Health Privacy Principles apply to disability-related data. |
| Data Processing Agreement | School as data controller, Edsthetic as data processor | DPA available as a downloadable PDF. Defines roles, data types processed, retention periods, deletion rights, and incident response obligations. Schools can request the DPA before signing any agreement. |
| Right to deletion | APP 13 — correction and deletion | Schools may request deletion of all school data at any time. Data is fully deleted within 30 days of a valid deletion request. Off-boarding process documented in the DPA. |
| Third-party processing | APP 8 — cross-border disclosure | Data is processed by Supabase (US parent company, Australian infrastructure). Supabase processes data solely as directed and is bound by equivalent obligations under their Data Processing Agreement with Edsthetic. Anthropic processes writing submissions through the Supabase edge function for AI-generated lesson plans only — submissions are not retained by Anthropic. |
These are not terms that can be changed through a policy update or a new version of the privacy policy. They are contractual commitments made in the Data Processing Agreement signed with each school.
| We never | Why this matters for schools |
|---|---|
| Use student data for advertising | No student profile, behaviour, or writing data is used to serve, target, or optimise advertising — for any product, from any company, including Edsthetic. |
| Train AI models on school data | Student writing submissions, assessment results, LSO schedules, and NCCD data are not used to train any model. Anthropic’s API usage policy independently prohibits use of API-submitted data for model training. Student writing sent for marking is processed transiently and not retained. |
| Sell or share data with third parties | School data is not sold, licensed, or shared with any third party for commercial purposes. Subprocessors (Supabase, Anthropic, Netlify) operate under binding data processing agreements. Parent report emails are sent from the teacher’s own school email address — no third-party email service is used and no data leaves Writeiq for email delivery. |
| Store plain-text credentials | No PIN, password, or authentication credential is ever stored in plain text. All credentials are one-way hashed with SHA-256 and a unique salt before storage. |
| Route data outside Australia | School data at rest is stored in AWS Sydney (ap-southeast-2). Database queries are processed within that region. Edge functions (licence validation, email delivery) run on Supabase’s globally-distributed compute layer; function execution may occur in the nearest available node. Writing submissions sent for AI assessment are processed by Anthropic’s API in the United States — no student names or school identifiers are included. Parent report emails are generated in the browser and sent from the teacher’s own email client — no email content leaves Writeiq servers. |
| Retain data after deletion requests | Following a valid school deletion request, all school data is permanently deleted within 30 days. No backup copies are retained beyond that period. |
Schools handle some of the most sensitive personal data in the community — children's learning records, disability classifications, and wellbeing information. Edsthetic is designed specifically for this context.
Writeiq scans student writing submissions for content that may indicate the student is at risk. Submissions flagged by safeguarding detection are held for teacher review before feedback is shown to the student. Teachers cannot disable this check.
Students access Writeiq via a class code. No Google account, no email, no personal login is required. This means no Google or Microsoft account data is associated with student submissions. First name only — collected from the student themselves at the point of access.
Disability categories in Allocateiq (QDTP, Supplementary, Substantial, Extensive) are sensitive information under the Privacy Act. Access to NCCD data is role-restricted to coordinator and leader roles. Student NCCD data is not visible to LSOs in their day-view schedule.
Both products operate on a multi-role model. In Writeiq: student, teacher, leader, and admin roles have separate access scopes. In Allocateiq: coordinator and LSO roles are separated. No cross-role data leakage is possible — enforced at the API layer by Supabase row-level security, not application logic.
Authentication sessions are token-based with expiry. Session tokens are invalidated on logout. Brute-force lockout is enforced at five failed attempts. Admin and leader PINs are stored as salted SHA-256 hashes — not reversible even by Edsthetic.
A school-ready DPA is available for download and review before signing any agreement with Edsthetic. It defines: data types processed, legal basis, retention periods, deletion rights, subprocessors, incident response timelines, and Edsthetic’s obligations as data processor. Download DPA →
Edsthetic uses two subprocessors. Both are bound by data processing agreements that reflect our obligations to schools.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase / AWS | Database, authentication, edge functions, file storage | All school data: student records, writing submissions, LSO schedules, NCCD data, staff credentials | AWS ap-southeast-2 (Sydney, Australia) |
| Anthropic (API) | AI writing assessment (marking) and lesson plan generation in Writeiq | Writing assessment: student writing text, writing type, year level, scoring criteria. No student names, class names, or school identifiers included in API calls. Lesson plans: writing type, year level, criterion, class band distribution only. |
Processed via API in the United States. Anthropic’s API Data Processing Agreement prohibits use of API-submitted data for model training. Data is Processed via API in the United States. Anthropic’s API Data Processing Agreement prohibits use of API-submitted data for model training. Data is not retained beyond request processing. |
| Netlify | Application hosting and CDN | No school data. Static file serving only. Access logs (anonymised IP, request path) subject to Netlify’s privacy policy. | United States (CDN global). No personal data stored beyond standard access logs. |
Security reviews, DPA requests, data deletion, or incident reporting — contact us directly.