Trust Centre
Where we are on HECVAT, SOC 2, ISO 27001 and the AU Privacy Act, set out clearly.
We tell you where we are today and don't claim a badge we haven't earned.
We don't claim certifications we haven't earned. This is the current picture of where we are.
What is in place today
Where we stand today: what you can rely on now, and what's coming.
01
Privacy Act alignment
The product is built to align with the Australian Privacy Act and its APPs, with data minimisation and student rights designed in.
02
HECVAT responses
We maintain HECVAT-Lite self-assessment responses and will complete your institution's own security questionnaire alongside them, under NDA.
03
SOC 2: on the roadmap
We operate the controls SOC 2 looks for — access control, logging, and a documented change-management process where changes are tested in a separate non-production environment before release — and a formal audit is on the roadmap, not something we claim today.
04
ISO 27001: on the roadmap
An information-security management system aligned to ISO 27001 is planned. We're clear about that gap and don't imply a certificate we haven't earned.
What you can ask for
The documents and answers we can put in front of a vendor-assessment team.
HECVAT responses
A completed HECVAT-Lite self-assessment covering our security and privacy posture, available under NDA for procurement.
Architecture summary
A plain description of how tenants are isolated, where data lives, and how access is controlled.
Subprocessor list
A current, dated list of every subprocessor, its purpose, and its region.
DPA
A Data Processing Agreement covering roles, security, subprocessors, and breach notification. Current draft in counsel review.
Questionnaire support
We'll complete your institution's own security questionnaire alongside the standard documents.
Running a vendor assessment?
Ask for our HECVAT responses and compliance document set.
What we never do
Support means seeing the pattern, not the person. These limits are built into the product, not just promised in a policy.
We never sell or share student data
Student data is used to run First Six for your institution — never sold, rented, or handed to advertisers or data brokers. Full stop.
We never build watchlists
Individual wellbeing answers stay private to the student. Staff see aggregate trends with small groups suppressed — never a named list of who to watch.
We never train external AI on student data
Student records are not used to train third-party models. AI features process only what staff submit, and that content is not retained for training.
We never hide where data lives
The system of record stays in Australia, and every subprocessor and region is listed openly here in the Trust Centre. No surprises.
Frequently asked questions
What security, privacy, and procurement teams ask us most.
Not yet, and we won't imply otherwise. Both are on our roadmap. Today we operate the controls those frameworks look for and can walk you through them, but the formal certifications are still ahead of us.
Yes. We maintain HECVAT responses and will complete your institution's own questionnaire as part of the assessment, under NDA.
Yes. Data minimisation, disclosure of overseas subprocessors, and student data rights are built in to align with the Privacy Act and the Australian Privacy Principles.
Our privacy posture (minimisation, purpose limitation, data rights, and a DPA) aligns closely with GDPR principles. For institutions with EU obligations we're happy to walk through the specifics.
A Data Processing Agreement is part of our legal pack. It covers processing roles, security measures, subprocessors, and breach notification. The current draft is in counsel review; we share the working version under NDA on request.
See it for your next cohort.
Currently meeting with universities.