Skip to content

Privacy and Security

Leading the Way in Privacy and Security for Schools.

Our Core Privacy and Security Values

Hero is proud to provide a safe and secure platform that safeguards our users’ personal data. 

Hero Security - you own the content you add to Hero

You own the content you add to Hero

All content uploaded to Hero remains yours.

Hero security - student work is private

Student work is private to those with access

Access to student data is controlled by each school and cannot be accessed without the school allowing it.

Hero security - we use the latest security industry best practices

Hero uses the latest security industry best practices

We have comprehensive measures in place to protect the integrity of your information.

 

Hero security - we will never sell your data

Hero will never sell your data or student data

Our business model is based on charging schools directly for our services.

Safer Technologies for Schools (ST4S) ensures high safety and privacy standards, helping schools confidently choose secure digital tools.

How Does Hero Backup my Data?

We treat reliability and security very seriously.

Our databases store information such as accounts, student details, posts, goals, attendance and assessment data and pupil billing. These are replicated to separate servers so that redundancy is always maintained. We perform snapshots every day, which are maintained for seven days.

We store all files on Azure Blob Storage, which is managed by Microsoft Azure. This is designed to be highly available with a 99.99% uptime guarantee. This data store is configured to be replicated to 3 different servers within the same datacenter, with geo-replication enabled in the event of a localised disaster at our primary datacenter.

Outside of this, we run a manual backup process every night with the same storage configuration, that is, locally and geo-replicated to data centres in NSW (AUS) and Victoria (AUS). Our services are stateless, load-balanced, and redundant.

We maintain a public record of uptime for Hero and provide information in the event of an outage at https://linc-ed.statuspage.io/.

Information Security Policy

 

Authority and access control policy

There are six levels of access to Hero:

  1. Developers - Access to underlying databases as well as administrative toolset for adding removing schools and data within. Any process that involves the direct editing or removal of school or student must be peer reviewed and backups checked before proceeding.
  2. Linc-Technology administrators - access to all school’s front end UI along with some limited extra functionality that is not exposed to school users.
  3. School Administrators - ability to see data for students enrolled (or former; or pre enrolled) in their school. Extended ability to edit and delete data for students if required for their role.
  4. School staff - ability to see data for students enrolled (or former; or pre enrolled) in their school. Ability to edit and delete data for students if required for their role.
  5. Caregivers - ability to view learning artefacts and information about students that they have been given access by the school ONLY. Caregiver access is controlled by the school administrators only. Linc-Technologies are not permitted to allow access to caregivers as a matter of internal policy.
  6. Students - ability to view and share learning and data. ONLY able to view and access their own data.

Sensitive data can be stored in Hero if the school so chooses, this decision is taken by the leadership of the school.

Linc-Technologies operates an internal network that can only be accessed by approved staff or contractors, this does not however provide any access to any data or services as these are all password protected as a separate process.

Expectations

Linc-Technologies, through the Hero product is the custodian of data that is potentially sensitive and is certainly valuable. All reasonable precautions must be taken to protect data stored in our service is safe, encrypted and strictly controlled.

In all development and product decisions, the central expectation is that security is the first consideration.

Our company must ensure that data is:

  • Confidential: data and information are protected from unauthorized access
  • Intact: Data is intact, complete and accurate
  • Available: Data is available to the appropriate users when needed
Data classification

There are three levels of data classification in Hero:

  1. Level 1: Public information - NO public information is housed in Hero, all data sits behind our authentication layer,
  2. Level 2: Data relating to schools themselves, this data is only accessible to authenticated users however it is publicly available data such as school website, address etc.
  3. Level 3 - Staff, student and caregiver/ contact information - confidential information that is only accessible to authenticated users in accordance with our access control policy.
Security awareness training

Yearly security awareness training is carried out for all staff and when new staff members are onboarded. This includes password training, password management tools as well as training on cyber security and latest recommendations.

Data storage, movement and protection
  1. All data within Hero is encrypted at rest and transported using https
  2. We make extensive use of JWT tokens, which specify which tenant a user has access to. Within all services this is extracted and used to inform all database queries.
  3. We hash and store passwords using OWASP's recommendation of Argon2id