Our Core Security and Privacy Values:

We will never sell your data or student data.
We will never sell or rent your data or create profiles of Hero users to sell. Our business model is based on charging schools directly for our services.
Student work is private to those who are given access by the school.
Schools control what is shared and with whom. Access to student data is controlled by each school and cannot be accessed without the school allowing it.
We use the latest security industry best practices to protect you and us.

Hero takes protecting your security and privacy seriously and we've put a number of measures in place to protect the integrity of your information.

  • Hero uses TLS security at the network level to ensure all account information and data is transmitted securely.
  • Post Content (e.g., photos, video, audio, and other content you add to Hero) is encrypted at rest.
  • All passwords are salted and hashed using Argon2id.
  • Hero conducts a yearly, 3rd party security audit to verify the security and integrity of our systems and internal controls.
  • Account information is stored in highly secure, access-controlled Microsoft Azure and AWS (Amazon Web Services) data centers.
  • We have adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support).
  • All employees undergo a background check before beginning employment at Hero, sign a nondisclosure agreement, and immediately lose access to all internal systems and data when terminated.
  • We routinely monitor our systems for security breaches and attempts at inappropriate access.
You own the content you add to Hero.
View our Privacy Policy

How does Hero backup my data?

We treat reliability and security very seriously.

Our databases store information such as accounts, student details, posts, goals, attendance and assessment data and pupil billing. These are replicated to separate servers so that redundancy is always maintained. We perform snapshots every day, which are maintained for seven days. We store all files on Azure Blob Storage, which is managed by Microsoft Azure. This is designed to be highly available with a 99.99% uptime guarantee. This data store is configured to be replicated to 3 different servers within the same datacenter, with geo-replication enabled in the event of a localised disaster at our primary datacenter. Outside of this, we run a manual backup process every night with the same storage configuration, that is, locally and geo-replicated to data centres in NSW (AUS) and Victoria (AUS). Our services are stateless, load-balanced, and redundant.

We maintain a public record of uptime for Hero and provide information in the event of an outage at https://linc-ed.statuspage.io/.

Information Security Policy

Expectations

Hero Software for NSW Schools pty ltd, through the Hero product is the custodian of data that is potentially sensitive and is certainly valuable. All reasonable precautions must be taken to protect data stored in our service is safe, encrypted and strictly controlled.

In all development and product decisions, the central expectation is that security is the first consideration.

Our company must ensure that data is:

  • Confidential: data and information are protected from unauthorized access
  • Intact: Data is intact, complete and accurate
  • Available: Data is available to the appropriate users when needed
Authority and access control policy

There are six levels of access to Hero:

  1. Developers - Access to underlying databases as well as administrative toolset for adding removing schools and data within. Any process that involves the direct editing or removal of school or student must be peer reviewed and backups checked before proceeding.
  2. Hero Software for NSW Schools pty ltd administrators - access to all schools' front end UI along with some limited extra functionality that is not exposed to school users.
  3. School Administrators - ability to see data for students enrolled (or former; or pre enrolled) in their school. Extended ability to edit and delete data for students if required for their role.
  4. School staff - ability to see data for students enrolled (or former; or pre enrolled) in their school. Ability to edit and delete data for students if required for their role.
  5. Caregivers - ability to view learning artefacts and information about students that they have been given access by the school ONLY. Caregiver access is controlled by the school administrators only. Hero Software for NSW Schools pty ltd are not permitted to allow access to caregivers as a matter of internal policy.
  6. Students - ability to view and share learning and data. ONLY able to view and access their own data.

Sensitive data can be stored in Hero if the school so chooses, this decision is taken by the leadership of the school.

Hero Software for NSW Schools pty ltd operates an internal network that can only be accessed by approved staff or contractors, this does not however provide any access to any data or services as these are all password protected as a separate process.

Data classification

There are three levels of data classification in Hero:

  1. Level 1: Public information - NO public information is housed in Hero, all data sits behind our authentication layer,
  2. Level 2: Data relating to schools themselves, this data is only accessible to authenticated users however it is publicly available data such as school website, address etc.
  3. Level 3 - Staff, student and caregiver/ contact information - confidential information that is only accessible to authenticated users in accordance with our access control policy.
Data storage, movement and protection
  1. All data within Hero is encrypted at rest and transported using https
  2. We make extensive use of JWT tokens, which specify which tenant a user has access to. Within all services this is extracted and used to inform all database queries.
  3. We hash and store passwords using OWASP's recommendation of Argon2id
Security awareness training

Yearly security awareness training is carried out for all staff and when new staff members are onboarded. This includes password training, password management tools as well as training on cyber security and latest recommendations.