Effective Date: 10/05/25
Fastgrade Pty Ltd ("we", "us", or "our")
1. Purpose
This Security Policy outlines our commitment to safeguarding the confidentiality, integrity, and availability of data hosted on our education SaaS platform. It describes the physical, technical, and administrative security measures in place to protect the data of all users, including students, educators, and institutions.
2. Scope
This policy applies to all employees, contractors, partners, and systems that have access to or process data via the Platform. It covers the infrastructure, applications, networks, and data hosted in our production environment.
3. Hosting & Data Location
All platform data is securely hosted using Amazon Web Services (AWS), with all infrastructure and backups residing in AWS data centers located in Australia. AWS complies with ISO 27001, SOC 2, and IRAP (Information Security Registered Assessors Program) standards.
4. Data Protection Measures
- Encryption
- Data is encrypted in transit using TLS 1.2 or higher.
- Data is encrypted at rest using AES-256 through AWS Key Management Service (KMS).
- Access Controls
- Role-based access controls (RBAC) ensure users can only access data appropriate to their role.
- Multi-factor authentication (MFA) is enforced for internal administrative access.
- Principle of least privilege is applied to all system accounts.
- Authentication
- User authentication uses secure password hashing (e.g., bcrypt).
- Session tokens are signed and expire after a defined inactivity period.
5. Application Security
- Regular penetration testing is conducted by independent third parties.
- All code is reviewed and tested using secure development lifecycle (SDLC) practices.
- Input validation and output encoding are used to prevent common web vulnerabilities (e.g., XSS, SQL injection).
6. Network Security
- Firewalls and security groups restrict inbound and outbound traffic to necessary ports and protocols.
- Virtual Private Clouds (VPCs) are configured with segmentation between application layers.
- AWS GuardDuty and AWS WAF are used for intrusion detection and web threat prevention.
7. Monitoring & Logging
- All access to sensitive systems is logged and monitored.
- AWS CloudTrail and CloudWatch are used for auditing and real-time alerts.
- Logs are stored securely and reviewed periodically for anomalies.
8. Incident Response
- We maintain an Incident Response Plan that includes detection, containment, eradication, recovery, and communication procedures.
- Users will be notified within a reasonable timeframe if their data is involved in a security breach, in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).
9. Backup & Disaster Recovery
- Nightly backups are performed and stored in separate secure locations within AWS (in Australia).
- Regular disaster recovery testing is conducted to ensure service continuity.
- Backup data is encrypted and retained for a minimum of [insert retention policy, e.g., 30 days].
10. Employee Security Practices
- All employees undergo background checks and sign confidentiality agreements.
- Security awareness training is conducted annually.
- Access to production environments is limited to authorised technical staff only.
11. Third-Party Security
- Third-party vendors (e.g., payment processors, analytics) are vetted for security compliance.
- Data shared with third parties is minimised and subject to contractual safeguards and compliance reviews.
12. Policy Review and Updates
This policy is reviewed annually or whenever significant changes to systems, infrastructure, or threat landscape occur. Updates will be documented, and stakeholders will be notified of material changes.
13. Contact
For any questions or concerns related to this Security Policy, please contact:
Wilhelm Fernando - wilhelm@fastgrade.com.au