Linc-Technologies, through the Hero product is the custodian of data that is potentially sensitive and is certainly valuable. All reasonable precautions must be taken to protect data stored in our service is safe, encrypted and strictly controlled.

In all development and product decisions, the central expectation is that security is the first consideration.

Our company must ensure that data is:

• Confidential: data and information are protected from unauthorized access
• Intact: Data is intact, complete and accurate
• Available: Data is available to the appropriate users when needed

There are six levels of access to Hero:

1. Developers - Access to underlying databases as well as administrative toolset for adding removing schools and data within. Any process that involves the direct editing or removal of school or student must be peer reviewed and backups checked before proceeding.
2. Linc-Technology administrators - access to all school’s front end UI along with some limited extra functionality that is not exposed to school users.
3. School Administrators - ability to see data for students enrolled (or former; or pre enrolled) in their school. Extended ability to edit and delete data for students if required for their role.
4. School staff - ability to see data for students enrolled (or former; or pre enrolled) in their school. Ability to edit and delete data for students if required for their role.
5. Caregivers - ability to view learning artefacts and information about students that they have been given access by the school ONLY. Caregiver access is controlled by the school administrators only. Linc-Technologies are not permitted to allow access to caregivers as a matter of internal policy.
6. Students - ability to view and share learning and data. ONLY able to view and access their own data.

Sensitive data can be stored in Hero if the school so chooses, this decision is taken by the leadership of the school.

Linc-Technologies operates an internal network that can only be accessed by approved staff or contractors, this does not however provide any access to any data or services as these are all password protected as a separate process.

There are three levels of data classification in Hero:

1. Level 1: Public information - NO public information is housed in Hero, all data sits behind our authentication layer,
2. Level 2: Data relating to schools themselves, this data is only accessible to authenticated users however it is publicly available data such as school website, address etc.
3. Level 3 - Staff, student and caregiver/ contact information - confidential information that is only accessible to authenticated users in accordance with our access control policy.

1. All data within Hero is encrypted at rest and transported using https
2. We make extensive use of JWT tokens, which specify which tenant a user has access to. Within all services this is extracted and used to inform all database queries.
3. We hash and store passwords using OWASP's recommendation of Argon2id

Yearly security awareness training is carried out for all staff and when new staff members are onboarded. This includes password training, password management tools as well as training on cyber security and latest recommendations.