Security Policy
Last updated: 21 April 2026
BandBoost is operated by Aria Infotech Pty Ltd. We take the security of student data seriously. This page explains how we protect the platform and what you can expect from us.
1. Our Security Commitments
- All data is encrypted in transit using TLS 1.3 and at rest using AES-256
- Student personal data is stored in Australia (Sydney region) on Supabase infrastructure
- We operate a least-privilege access model: each part of the platform only accesses the data it needs
- We do not sell student data to any third party, ever
- We do not use student data for advertising or profiling
- We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
2. Data Storage and Access
All student data, parent accounts, and test results are stored in Supabase PostgreSQL, hosted in the AWS Sydney region (ap-southeast-2). Access to this data is controlled by row-level security policies that ensure:
- Parents can only access their own students' data
- Teachers and school admins can only access data for their own school's students
- No user can access another family's or school's records
Administrative access to the platform is protected by mandatory two-factor authentication.
3. AI and Student Writing
BandBoost uses Claude by Anthropic to assess student writing responses. We take the following precautions to protect student data in this process:
- Only the writing submission text is sent to Anthropic, never the student's name or personal details
- Anthropic does not use BandBoost data to train its AI models (confirmed under Anthropic's API usage policies)
- Writing text is not retained by Anthropic beyond the duration of the API call
- All AI calls are sent over encrypted HTTPS connections
- We screen all writing input for prompt injection attempts before sending to the AI
Multiple-choice and short-answer questions are evaluated deterministically and never sent to any AI service.
4. Platform Security Controls
- Rate limiting: All API endpoints are protected against high-volume automated requests
- Bot blocking: Automated tools and scrapers are blocked at the network edge
- DDoS protection: Cloudflare is used to absorb volumetric attacks
- Geo-restriction: The platform is available to Australian users only
- CAPTCHA: Cloudflare Turnstile protects login and signup flows against automation
- Account lockout: Accounts are locked after repeated failed login attempts
- Session management: Sessions are invalidated on password change and across all devices on account suspension
- Vulnerability scanning: Dependencies are scanned weekly for known security vulnerabilities
- Secret scanning: All code changes are automatically scanned for accidentally committed API keys
5. Payments
All payments are processed by Stripe, which is certified to PCI DSS Level 1 (the highest level of payment security). BandBoost never sees or stores your full card number. We only receive a payment confirmation and the amount charged. Stripe's security certifications can be viewed at stripe.com/docs/security.
6. Third-Party Suppliers
We use a small number of carefully selected third-party services to operate BandBoost. All Tier 1 suppliers hold SOC 2 Type II certification or equivalent:
| Supplier | Purpose | Data location |
|---|---|---|
| Supabase | Database and authentication | Sydney, Australia |
| Vercel | Web application hosting | Sydney edge + US origin |
| Anthropic | AI writing assessment | US (API only, no retention) |
| Stripe | Payment processing | US (no student data) |
| Zoho ZeptoMail | Transactional email | Australia (Sydney) |
| Cloudflare | CDN and DDoS protection | Global edge (no personal data) |
We have Data Processing Agreements in place with all suppliers who process personal data. Cross-border transfers to US-based suppliers comply with Australian Privacy Act APP 8 requirements.
7. Data Breach Notification
In the event of a data breach that is likely to result in serious harm, we will notify affected users by email within 72 hours of confirmation, and notify the Office of the Australian Information Commissioner (OAIC) within 30 days, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988.
8. Responsible Disclosure
If you believe you have found a security vulnerability in BandBoost, please report it to us responsibly before disclosing it publicly. Contact [email protected] with details of the issue. We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities promptly. We ask that you do not access, modify, or delete any user data during your testing.
9. Contact
For security concerns, contact [email protected]. For general privacy questions, contact [email protected].
Aria Infotech Pty Ltd · ABN available on request · Queensland, Australia
Related policies: Terms of Service · Privacy Policy · Acceptable Use