Security & Privacy
Edsthetic was built in and for Australian schools. Every security and privacy decision reflects the obligations and expectations of the Australian education sector - from the Privacy Act 1988 (Cth) to the sensitivity of NCCD disability data.
English writing assessment platform for Years 3–12. Built and operated from Australia.
This page is the public security summary for Writeiq, the English writing assessment platform from Edsthetic Pty Ltd (ABN 70 939 441 240). It is written to help school IT coordinators and Privacy Officers complete their own Privacy Impact Assessment (PIA) and Safer Technologies for Schools (ST4S) review. The full reference is the Writeiq Security & Privacy Overview v1.6; this page mirrors it. Edsthetic does not complete or sign PIAs on a school’s behalf; the PIA remains the school’s responsibility, and we provide the underlying facts to populate it.
Edsthetic-wide context. Writeiq and Allocateiq (Edsthetic’s separate learning-support allocation platform) run on the same Australian infrastructure, but they are distinct products with separate data. This page describes Writeiq only. Allocateiq: including its handling of NCCD disability data ) is assessed separately and is documented on its own. Where a control below is genuinely shared at the infrastructure layer, it is noted as such.
Security is the default at every layer of Writeiq. The architecture is designed for the Australian school context: data stays in Australia, every school’s data is isolated from every other school’s at the database layer, and no human or model uses student writing for any purpose other than producing feedback for that school.
All customer data is stored in Sydney, Australia, on AWS ap-southeast-2, via Supabase (managed PostgreSQL). Data is held in Australia under a data residency commitment and is not replicated, mirrored, or backed up to any non-Australian location. AWS Sydney is ISO/IEC 27001 certified and hosts data for Australian Government, banking, and university workloads.
Data at rest is encrypted with AES-256 (keys protected by FIPS 140-2 compliant HSMs). Data in transit uses TLS 1.2 or higher with modern ciphersuites on every connection: browser, app, and server-to-sub-processor. HTTPS is enforced on every endpoint; no unencrypted connection is accepted at any layer.
Writeiq runs a single PostgreSQL database shared across schools, with each school’s data isolated by PostgreSQL Row-Level Security (RLS) enforced inside the database engine itself, not by application code alone. Every read and write to school data also passes through a SECURITY DEFINER function that re-checks the user’s school against the data’s owner. Two independent controls; no school can ever see another school’s rows.
All public traffic routes through Cloudflare, which provides a Web Application Firewall (blocking SQL injection, cross-site scripting and request smuggling), DDoS mitigation at the edge, bot management, and rate limiting on sensitive endpoints (login, password reset). TLS is terminated at the edge and re-encrypted to origin. No school firewall changes are required: Writeiq is reachable on standard HTTPS port 443.
Every staff member has their own individual account. Staff email/password authentication is handled by Supabase Auth (Edsthetic never stores or sees a staff password), or staff sign in via their school’s Google Workspace or Microsoft 365 Single Sign-On (OAuth 2.0 with PKCE), where the school’s identity provider remains the source of truth and Edsthetic never sees the user’s Google or Microsoft password. TOTP multi-factor authentication is available to all staff and is mandatory for school administrators under the default policy. Historical note: the previous per-school shared-PIN and licence-key model has been retired for staff; staff now use per-user accounts.
Time-based One-Time Password (TOTP, RFC 6238) MFA is available for staff and works with Google Authenticator, Microsoft Authenticator, Authy, 1Password, and any compliant app. MFA is required for school administrators and optional for teachers at the school’s discretion. Schools using Google or Microsoft SSO automatically inherit any MFA policy enforced by their identity provider. TOTP secrets are stored AES-GCM-encrypted.
Students do not need email accounts, passwords, or SSO. Three school-controlled access paths are available: Class Links (recommended: a signed, school- and class-scoped URL or QR code that is itself the credential); Student Access Code (a school-set code typed once per device, rotated by the administrator); and optional Student SSO (opt-in per school for those with Google Workspace for Education or Microsoft Entra ID). The students table holds demographic data only: no password hashes, no TOTP secrets, no auth identity. Students never see other schools’, classes’, or students’ work.
Every sign-in attempt (successful or failed) is logged with timestamp, source IP, user agent, and authentication method. Every administrative action (creating an account, changing a role, removing a user, committing a bulk import) is also logged. The audit log is retained for at least twelve months and can be exported to a school’s IT or compliance team on request.
Automated daily backups are retained for 30 days, and point-in-time recovery is available for the last 7 days at five-minute granularity. All backups are encrypted with AES-256 and stored in the AWS Sydney region; they are never replicated outside Australia.
Pages are served with HSTS (2 years, includeSubDomains, preload), Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. Session cookies are HttpOnly, Secure, SameSite=Strict, and host-scoped to app.writeiq.com.au; JWT session tokens are never written to localStorage or sessionStorage.
Writeiq’s marking and feedback are produced by sending student writing to Anthropic’s Claude API. This is the only point at which student writing leaves Edsthetic’s own infrastructure, and it does so under a written Data Processing Agreement that prohibits the use of customer data to train, improve, or evaluate their models. The scores returned are always presented as a recommendation a teacher can accept, adjust, or reject; Writeiq supports but never replaces teacher professional judgement.
| Submission type | What is sent to Anthropic | What is never sent |
|---|---|---|
| Typed submissions (the most common case) |
The writing text, the writing type (narrative, persuasive, analytical, recount, etc.), the year level, the subject context, and the marking rubric and criteria. The piece cannot be linked back to an individual student from the API call alone. | Student first or last name; student identifier (CASES21 ID, school UID); class name or code; teacher name; school name or identifier; any other student personal information. |
| Handwritten scans (honest disclosure) |
The scanned page image as captured for transcription. Because students conventionally write their name at the top of paper work, that handwritten name is visible to Anthropic during transcription, as it would be to any relief teacher marking a paper stack. Anthropic returns the name as text so the transcript attaches to the right student record; it does not retain the image beyond standard operational processing. | For schools wanting stricter control: students can write a school-issued student UID instead of their name (no Writeiq change required), and Edsthetic is trialling automated cropping/redaction of name regions before transmission for Term 3 2026. |
Anthropic’s DPA (effective 24 February 2025) commits to: no sale or sharing of customer personal data; no use beyond performing the service; 48-hour Security Breach notification to Edsthetic; deletion of customer data within 30 days of termination; AES-256 at rest and TLS 1.2+ in transit; MFA for all personnel with data access; and SOC 2 Type II and ISO/IEC 27001 certification. Anthropic’s Trust Center is at trust.anthropic.com.
For schools migrating existing rosters into Writeiq, the admin panel offers two bulk-import paths: single-file CSV (separate files for classes, staff, and students) and OneRoster 1.2 ZIP bundle (the standard export format used by Compass, Edval, Sentral, Edumate, and most Australian school management systems). The architectural choices below are PIA-relevant.
CSV and OneRoster ZIP files uploaded by school administrators are parsed entirely in the browser using established libraries (PapaParse for CSVs, JSZip for archives). The raw file is never transmitted to Edsthetic’s infrastructure; only the parsed and validated row data crosses the network to the import Postgres functions. So a file containing accidental clipboard contents, hidden columns, or formatting artefacts never reaches the server in raw form, and closing the browser tab before commit discards the entire upload.
Importing student data via CSV or OneRoster populates demographic and class-assignment information only. No auth.users row is created for any imported student, no password is set, and no SSO link is established. Student access remains exclusively via Class Links, Student Access Code, or opt-in SSO.
Every bulk import is a dry-run validation followed by a separate commit. The dry-run returns the full diff (insert / update / unchanged / archive / unarchive) plus per-row errors and warnings, without touching data. Commit proceeds only if there are no errors and the administrator has acknowledged any warnings; replace mode (archiving rows absent from the upload) requires a second confirmation. Every commit is written to the school’s audit log.
Writeiq uses seven contracted sub-processors, each bound by a written agreement with confidentiality, security, and data-handling obligations. Two (Supabase and Anthropic) process school data directly; the rest provide edge, email, and operational telemetry only, with no student writing or names in their payloads. Edsthetic notifies schools at least 30 days before any change to this list (published at edsthetic.com.au/legal/sub-processors).
| Sub-processor | Purpose | Data processed | Location / certifications |
|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database, authentication, edge functions, file storage | All school data: student records, writing submissions, feedback, staff accounts, configuration | Sydney AU (data) · San Francisco (entity) · SOC 2 Type II, ISO 27001 via AWS · DPA with SCCs |
| Anthropic, PBC | Marking and feedback generation; handwriting transcription (no training on customer data) | Typed: writing text, type, year level, subject, rubric: no names/IDs/school. Scanned: page image (handwritten name visible during transcription). See the Marking and feedback section above. | United States (encrypted in transit) · SOC 2 Type II, ISO/IEC 27001 · Commercial DPA, SCCs |
| Cloudflare, Inc. | Edge network: WAF, DDoS protection, bot management, TLS termination, rate limiting | No stored school data. Inspects request metadata at the edge to filter attacks. | Global edge (Sydney POP) · SOC 2 Type II, ISO/IEC 27001 |
| Amazon Web Services (SES) | Transactional email delivery (staff invitations, account notifications, report delivery) | Recipient email address and message body (invitation claim links, notifications). No submission content; no student PII in message bodies. Edsthetic is the sender; SES is the carrier. | AWS ap-southeast-2 (Sydney) · ISO/IEC 27001, SOC 2 Type II · 30-day bounce/complaint retention |
| Sentry (Functional Software, Inc.) | Error monitoring with PII scrubbing | Stack traces and sanitised context. Textarea contents, passwords/PINs, and URL query strings are masked or stripped before transmission. No student writing or names. | US/EU · SOC 2 Type II |
| PostHog, Inc. | Product usage analytics | Event names, timestamps, and aggregated context (role, school identifier). No student writing, names, or feedback. | US · SOC 2 Type II · GDPR data processing terms |
| Netlify, Inc. | Static asset and serverless function hosting (marketing site, API edge functions) | No stored school data. Static file serving and standard access logs. | Global edge · SOC 2 Type II |
| Stripe, Inc., only when billing is active | Payment processing for paid (billed) deployments | No stored school, staff, or student data. Billing-contact and payment details only; not used in pilot or unbilled deployments. | United States · PCI DSS Level 1, SOC 2 Type II |
These are contractual commitments made in the Data Processing Agreement signed with each school, not terms changeable through a policy update.
| We never | Why this matters for schools |
|---|---|
| Use student data for advertising | No student profile, behaviour, or writing data is ever used to serve, target, or optimise advertising: for any product, from any company, including Edsthetic. |
| Train external models on school data | Student writing and assessment results are never used to train, improve, or evaluate any model. Anthropic’s DPA independently prohibits training on API-submitted data; writing sent for analysis is processed transiently. |
| Sell or share data with third parties | School data is not sold, licensed, or shared with any third party for commercial purposes. The seven sub-processors above operate only under binding data processing agreements. |
| Store credentials in plain text | Staff email/password authentication is handled by Supabase Auth; Edsthetic never stores or sees a staff password. TOTP secrets are encrypted with AES-GCM at the application layer, and TOTP recovery codes are hashed with PBKDF2-SHA-256. No credential is stored, logged, or transmitted in plain text. |
| Store school data outside Australia | All stored school data (database, file storage, account records, submissions, backups) is held in AWS Sydney (ap-southeast-2) and never replicated outside Australia. The only processing outside Australia is marking and feedback by Anthropic (US), under the DPA above, with no student identifiers sent for typed submissions. |
Edsthetic maintains a documented incident response procedure covering detection, containment, investigation, notification, remediation, and post-incident review, integrated with the obligations its sub-processors hold.
Supabase and Anthropic each commit to notify Edsthetic of a Security Incident within 48 hours of becoming aware. Edsthetic, in turn, commits to notify any affected school within 72 hours of confirmation; the 24-hour buffer allows scope to be investigated and accurate information assembled for the school’s response.
For an eligible data breach under the Privacy Act 1988 (Cth), Edsthetic complies with the Notifiable Data Breaches scheme, including notifying the Office of the Australian Information Commissioner (OAIC), and cooperates with any state Department of Education investigation.
Suspected incidents should be reported to security@edsthetic.com.au. We acknowledge security reports within four working hours during Australian business hours (next working day otherwise). Full detail is in our Incident Response Plan.
| Obligation | Framework | How Edsthetic meets it |
|---|---|---|
| Australian Privacy Principles | Privacy Act 1988 (Cth), Schedule 1 | Compliant with APP 1, 3, 6, 8, 11, 12, 13. Privacy policy at /privacy. DPA available for school sign-off before any paid contract. |
| Victorian Information Privacy Principles | Privacy and Data Protection Act 2014 (Vic) | Data handling designed to satisfy both the APPs and the Victorian IPPs concurrently, meeting the higher standard of the two on every control. |
| Notifiable Data Breaches | Part IIIC, Privacy Act 1988 (Cth) | Bound under the scheme. OAIC notified as required; affected schools notified within 72 hours of confirmation. |
| Cross-border disclosure | APP 8 | Storage is exclusively in Australia. The only cross-border processing is marking and feedback by Anthropic (US) under a written DPA with a no-training clause and no student identifiers for typed submissions. |
| Access & correction | APP 12 & 13 | Parents, students, and staff request access/correction through the school; the school administrator fulfils requests directly. Edsthetic assists on request at privacy@edsthetic.com.au. |
Items marked in place are operating now; dated items are scheduled on the published roadmap.
| Assurance | What it is | Status / target |
|---|---|---|
| Internal continuous testing | Automated smoke tests on every deployment (4,000+ checks); pre-deploy build pipeline with secret-scan gate. | In place |
| Real-browser regression | Playwright-driven Chromium harness exercising real DOM events against the live build (login flow, navigation hiding, security boundary visibility). | In place |
| OWASP ZAP passive scan | OWASP ZAP passive manual exploration was completed against the live service. This was not an active penetration test. No High-risk issues were identified. SRI hardening and app-host cookie scoping were confirmed closed on the 24 May 2026 passive re-scan. | Completed · school-facing summary available on request; re-run before each commercial deployment |
| Sub-processor compliance | All seven sub-processors hold SOC 2 Type II certification. | In place |
| ST4S Readiness Check | Self-assessment submission to Safer Technologies for Schools (Education Services Australia). | Term 3 2026 submission |
| ST4S badge | Full ST4S assessment outcome and badge. | Mid-2027 target |
| External penetration test | Manual third-party offensive assessment (CREST-certified or equivalent). | 2027 |
| SOC 2 Type II (Edsthetic) | Independent audit of Edsthetic’s own controls (in addition to sub-processor certifications). | 2028 |
The most-requested Privacy Impact Assessment fields, for fast completion. Full detail is in the Security & Privacy Overview v1.6.
| Software name | Writeiq |
| Vendor | Edsthetic Pty Ltd, ABN 70 939 441 240 (Australia: Federal & Victorian law) |
| Marketing URL | https://edsthetic.com.au |
| Application URL | https://app.writeiq.com.au |
| Hosting location | Sydney, Australia (AWS ap-southeast-2) via Supabase |
| Encryption | AES-256 at rest (FIPS 140-2 HSM key management); TLS 1.2+ in transit |
| Authentication (staff) | Per-user accounts. Email + password or Google/Microsoft SSO. TOTP MFA required for admins, optional for teachers. |
| Authentication (students) | No email/password required. Class Links (recommended), Student Access Code, or opt-in Student SSO. |
| Authorisation | Role-based (Admin / Leader / Teacher / Student) + Row-Level Security + SECURITY DEFINER functions. |
| Account provisioning | Per-user invitations via AWS SES (Sydney); bulk CSV + OneRoster 1.2 ZIP, parsed client-side, never sent to Edsthetic servers in raw form. |
| Audit logging | All sign-ins, admin actions, and bulk-import commits. Retained at least 12 months. |
| Marking processing | Anthropic Claude API (US). No training on customer data. Typed: writing + rubric only. Scanned: image with handwritten name; UID workflow and Term 3 2026 redaction trial available. |
| Sub-processors | Supabase, Anthropic, Cloudflare, AWS SES, Sentry, PostHog, Netlify, plus Stripe only when billing is active. |
| Backups | 30 days daily backups, encrypted, in Sydney AU; 7-day point-in-time recovery. |
| Breach notification | Affected schools within 72 hours of confirmation; OAIC under the NDB scheme. |
| ST4S | Readiness Check submission Term 3 2026; badge target mid-2027. |
| Privacy / PIA contact | legal@edsthetic.com.au |
| Security incident contact | security@edsthetic.com.au |
The full reference for school privacy and IT teams populating a PIA for Writeiq. Version 1.6, 12 May 2026. Download PDF →
Deletion triggers, timelines, and backup retention (30-day backup window, 7-day PITR). Aligned with APP 11.2. Read policy →
How we detect, contain, and notify on incidents. 72-hour school notification; OAIC under the NDB scheme. Read plan →
A practical guide for administrators, teachers, and support staff. Schools should ensure staff read it before first use. Read training →
The formal DPA governing processing of school data, signed before any paid contract. Download PDF →
PIA support, DPA requests, and data deletion: legal@edsthetic.com.au · Security incident reports: security@edsthetic.com.au