Placeholder — pending security & legal review

Security.

How we protect partner and learner data. We've stated this in specifics where we can. Where a posture is in progress, we say so.

Last updated: [date — to be set at publication]

Hosting and data location

We host data in the region appropriate to the partner's jurisdiction. For Australian partners, that means Australian residency by default.

  • Cloud provider: [to confirm — e.g., AWS / Azure / GCP].
  • Primary data residency: [to confirm — e.g., AWS Sydney ap-southeast-2].
  • Cross-border transfer: [if applicable, mechanisms to confirm].

Encryption

We don't say "bank-grade encryption". We say what we use and how it's reviewed.
  • In transit: TLS 1.2+ on all endpoints.
  • At rest: AES-256 (or equivalent — to confirm).
  • Key management: [to confirm — managed KMS, customer-managed keys, etc.].

Authentication and access

  • SSO support: [to confirm — SAML 2.0 / OIDC].
  • Multi-factor authentication: [to confirm — available / required for admin].
  • Role-based access control: yes — scope to be described.
  • Session management: [to confirm — timeouts, refresh policies].

Certifications

Honest framing — held, in progress, or not pursued. Smaller partners may not need certifications we'd pursue for larger or more regulated ones.

HELD

[List of current certifications — likely none at v1; we will not fabricate.]

IN PROGRESS

[List of certifications in active pursuit, with realistic timeframes — e.g., SOC 2 Type 1, ISO 27001, IRAP if applicable.]

NOT PURSUED

We're explicit about what we're not pursuing yet. No silent gaps.

Vulnerability management

  • Penetration testing cadence: [to confirm].
  • Vulnerability disclosure process: responsible disclosure email below.
  • Patch management posture: [to confirm].

Incident response

  • Incident response plan exists / is tested / is updated [cadence to confirm].
  • Notification SLAs to partners on confirmed breaches: [to confirm].
  • Australian Notifiable Data Breaches scheme alignment.

Data retention and deletion

Aligned to the regulatory timelines for each partner sector. Documented in the data processing agreement. The retention policy is specific, not generic — what data category, kept for how long, who can access it during that period, and how it's destroyed at end of retention.

Sub-processors

  • Up-to-date list of sub-processors: hosting, AI model providers, analytics, support, payment.
  • Notification mechanism for sub-processor changes: [to confirm].

Reporting a security issue

If you've found a vulnerability or have a security concern, email [email protected]. We'll acknowledge within [SLA — to confirm] and work with you under responsible disclosure.