Trust Centre
Our pre-filled HECVAT-Lite responses for your vendor security review: strong technical controls today, an honest list of what's still in progress, and the documents behind each answer.
A vendor security questionnaire, answered before you ask
HECVAT, the Higher Education Community Vendor Assessment Toolkit, is the security questionnaire many universities run on a new vendor. Rather than make you send a blank one and wait, we keep a pre-filled HECVAT-Lite self-assessment that reflects the current state of First Six, and we are deliberately upfront about what is and isn't in place.
The short version: First Six meets or exceeds the technical controls a standard HECVAT looks for. The open items are independent attestation and process maturity, which we propose as milestones for a pilot rather than blockers.
Headline answers
How to use our HECVAT in your review
You don't have to send a blank questionnaire and wait. This is the fast path.
01
Ask for the responses
Request our HECVAT-Lite self-assessment through your contact or procurement. We share it under NDA.
02
Check it against your checklist
The responses map to the standard HECVAT sections: company and documentation, data handling and privacy, authentication and access, application and infrastructure security, and hosting and business continuity.
03
Read the gaps, not just the ticks
We mark each item honestly as Yes, Partial, Planned, or No, with a note explaining it. A candid 'not yet, and here is the plan' is more useful to a reviewer than an optimistic yes a pen test would contradict.
04
Set milestones for a pilot
Where an item is still in progress, like SOC 2, a third-party pen test, or the DPA, we're happy to make it a contractual milestone for a pilot rather than a blocker.
What the answers cover
The five areas a HECVAT review walks, and where First Six stands today.
In place today
Encryption in transit and at rest, single sign-on with institution-enforced MFA, row-level tenant isolation, append-only audit logging, data minimisation with small-cell suppression, and a documented change-management process with testing in a separate non-production environment.
Data handling and privacy
Australian data residency, no student data used to train AI, deletion and export on request, and minimisation built in.
Access and isolation
OIDC single sign-on with Microsoft Entra live, role-based access, server-side session revocation, and row-level security across every table.
App and infrastructure
Security headers, CSRF protection, rate limiting, secrets kept out of source, and dependency hygiene. The content security policy runs in report-only while violations are reviewed.
Still in progress
SOC 2, ISO 27001, a third-party penetration test, a finalised DPA, and cyber insurance. We track these openly and propose them as pilot milestones.
Running a vendor assessment?
Ask for our HECVAT responses and the supporting document set, and we'll map them to your checklist.
What we never do
Support means seeing the pattern, not the person. These limits are built into the product, not just promised in a policy.
We never sell or share student data
Student data is used to run First Six for your institution — never sold, rented, or handed to advertisers or data brokers. Full stop.
We never build watchlists
Individual wellbeing answers stay private to the student. Staff see aggregate trends with small groups suppressed — never a named list of who to watch.
We never train external AI on student data
Student records are not used to train third-party models. AI features process only what staff submit, and that content is not retained for training.
We never hide where data lives
The system of record stays in Australia, and every subprocessor and region is listed openly here in the Trust Centre. No surprises.
Frequently asked questions
What security, privacy, and procurement teams ask us most.
HECVAT is the Higher Education Community Vendor Assessment Toolkit, the security questionnaire many universities run on a new vendor. We maintain pre-filled HECVAT-Lite responses so your review can start straight away.
Not yet, and we won't imply otherwise. Both are on our roadmap. The technical controls those frameworks look for are largely in place today; the independent attestation is what's still ahead.
Ask through your contact or procurement and we'll share the HECVAT-Lite self-assessment, along with our security overview, subprocessor list, and incident-response summary, under NDA.
Yes. If your institution has its own security questionnaire, we'll complete it as part of the assessment.
We're candid about them: no SOC 2 or third-party pen test yet, a DPA being finalised, and no cyber insurance in force. Prod and non-prod separation, previously listed here as a gap, is now in place as of July 2026. Each remaining item is tracked in our risk register and can be a pilot milestone.
See it for your next cohort.
Currently meeting with universities.