Staff Security Training

Why this matters

Writeiq and Allocateiq hold student writing, assessment data, and learning support information. Much of that data is sensitive under Australian privacy law, and all of it is personally meaningful to the students and families it concerns. Looking after it well is a shared responsibility between Edsthetic and the schools using the products.

This document is not a legal checklist. It is a practical guide for staff who use Edsthetic products, written to be read once, remembered, and referred to when something unusual happens.

Part 1 — Before you log in

Know your role

Edsthetic products use role-based access. Understand which role applies to you and don't try to bypass it.

Teacher (Writeiq): sees submissions from students in classes assigned to you
Leader (Writeiq): sees whole-school submission data and reports
Admin / Coordinator (Writeiq): configures the product, manages staff, resets PINs
LSO (Allocateiq): sees and updates your own timetable and student caseload
Coordinator (Allocateiq): manages all LSOs, classes, and NCCD data
Read-only (Allocateiq): view-only access for leadership reviewing NCCD reporting

If you need access the product won't grant you, speak to your coordinator. Don't log in with another staff member's credentials.

Treat licence keys like bank details

A licence key is what proves your school has bought access. Anyone with the key can connect the product to your school's data.

Do not share your licence key outside your school
Do not post it in a public Slack, Teams, or email thread
Do not paste it into AI assistants (ChatGPT, Claude, Copilot) for help
If you need to share a licence key internally, use a password manager or a direct message to one named person

If a licence key is accidentally shared or posted somewhere public, tell your coordinator immediately. Your coordinator can request a key rotation from Edsthetic and the old key is revoked within one business day.

Don't let students see PINs

Admin, Leader, and Coordinator PINs control access to staff features. Students should never see them on screen, on sticky notes, or in printed material.

Type PINs with your body between the keyboard and any student who might glance
Don't write PINs on the whiteboard or in a shared folder
Don't use the same PIN for everything; use different PINs for different roles

Part 2 — Setting strong PINs

New schools get default PINs of 110211 (admin) and 220422 (leader). These are publicly documented defaults — they are not secret. You must change them on first login.

Good PINs:

Are at least 6 digits
Are not birthdays, phone numbers, or anything on your staff profile
Are not sequences like 123456 or patterns like 112233
Are not the same as your email or banking PIN
Are different from the default

Reasonable PINs:

A 6-digit number you associate with something memorable to you but not publicly known
A year and a two-letter initial rendered numerically
Random digits written down and stored in a password manager

Edsthetic stores PIN hashes using PBKDF2-SHA-256 with 600,000 iterations and a per-account salt. This means that even if our database were compromised, your PIN cannot be recovered by a brute-force attack in any reasonable timeframe. But a PIN like 123456 defeats this protection because an attacker can guess it in one try.

Part 3 — Safer everyday use

Log out when you finish

If you're on a shared device, log out of the product when you finish. Writeiq and Allocateiq session tokens expire automatically, but an active session on a shared laptop is a trivial way for the next user to see data they shouldn't.

Watch for phishing

Attacks on education systems often come through email pretending to be from a service the school uses. If you receive an email claiming to be from Edsthetic and it asks you to click a link and enter your PIN, confirm by emailing hello@edsthetic.com.au directly.

Edsthetic will never:

· Email you a link that asks you to enter a PIN or licence key
· Ask you to install software onto a student or staff device
· Request your PIN by SMS, phone, or email
· Ask you to pay for anything by bank transfer outside the invoicing process

Don't export what you don't need

Writeiq lets you export reports as PDF and download submission bundles. Allocateiq lets you export schedules and NCCD summaries. Only export what you need and only to a device that is school-managed, encrypted, and under your control. Don't email exports to personal email addresses or upload them to personal cloud storage.

Be careful with screenshots

Screenshots of submission feedback are a common and legitimate teaching tool. But screenshots live forever once they leave a device. If you screenshot Writeiq feedback for professional learning, remove student names and class identifiers before sharing. For internal professional learning with colleagues at your own school, de-identification is still strongly recommended.

Part 4 — Recognising an incident

Report any of the following to your coordinator as soon as possible, who will in turn notify Edsthetic:

You think someone else has logged in using your credentials
You see submission data from a class or school that is not yours
The product is behaving unusually (unexpected errors, missing data, data that shouldn't be there)
You receive an email or message claiming to be from Edsthetic that asks for credentials
You have accidentally pasted a licence key or PIN somewhere public
A student or parent has reported to you that they accessed something they shouldn't have been able to
You have been asked to share student data with a third party (other than in normal school operations)

The rule of thumb: if you would tell your principal about something, tell your coordinator too. Edsthetic takes small signals seriously.

How to report

Short, factual report to your coordinator by email or direct message:

What happened (one paragraph, factual)
When it happened (approximate time is fine)
What you've done so far (if anything)
Whether you need help

Your coordinator forwards this to hello@edsthetic.com.au with "Security" in the subject line. Edsthetic acknowledges within two business days and triages per our Incident Response Plan.

Part 5 — NCCD and student data specifically

Allocateiq holds data related to the Nationally Consistent Collection of Data on School Students with Disability (NCCD). This data is sensitive under state and federal law and requires particular care.

Only staff with a legitimate role in supporting NCCD students should have Coordinator or LSO access
NCCD adjustment records should not be discussed in front of the student or their peers
NCCD exports should be shared only with staff who need them for their own teaching or support work
At end of year, NCCD data that is no longer operationally needed should be reviewed; data that no longer serves a purpose should be deleted

Part 6 — For coordinators specifically

Staff lifecycle

When a new staff member joins, add them to the product through the admin interface. Don't share an existing account.

When a staff member leaves, remove their access on their last working day. A departing staff member with active credentials is the most common source of leaked educational data; it is also the most preventable.

Check who has access regularly

At least once per term, log into the admin interface and review the list of staff accounts. Remove any that no longer belong. Confirm PINs are not set to defaults for any active account.

Keep contact details current

The coordinator email and phone number on your school's licence record are what Edsthetic uses to contact you during incidents. Keep these current by editing your school's record in the admin interface or by emailing us.

Communicate changes

If your school's privacy officer, head of IT, or principal changes, let us know by email. We update our records and make sure incident notifications go to the right people.

Part 7 — What Edsthetic does at our end

So you know what to expect from us:

School data is stored in AWS Sydney. It does not leave Australia except for transient AI processing, where no student identifiers are sent
PIN hashes use PBKDF2-SHA-256 with per-account salt
Every school's data is isolated by database-level row-level security. No school can query another school's data under any circumstances
We never use student data to train AI models. This is contractual, not aspirational
We never sell or share school data with third parties
When you request deletion, we comply within the timelines in our Data Deletion Policy
When an incident affects you, we notify you within the timelines in our Incident Response Plan
Error monitoring (Sentry) and product analytics (PostHog) contain no student content; PIN hashes, licence keys, and student names are scrubbed before transmission

Our current security commitments are documented in detail on our Security page.

Part 8 — Quick reference

Most common things to remember:

Licence keys are secrets. Don't share them outside the school.
Default PINs must be changed. 110211 and 220422 are not secret.
Log out of shared devices.
If something looks odd, tell your coordinator.
Edsthetic never asks for your PIN by email.
Coordinators: remove staff access on the day they leave.
Student data doesn't leave the product without a clear reason.

Part 9 — When this training is due again

Schools should ensure all staff with Edsthetic access have read this document once before using the product for the first time, and once per year thereafter. Coordinators are responsible for recording completion at the school level.

Edsthetic updates this document as threats and products change. Material updates are announced by email to the school coordinator.

Contact

Questions about this training: hello@edsthetic.com.au

Security incidents: hello@edsthetic.com.au with "Security" in the subject line

General support: hello@edsthetic.com.au